CVE-2024-51996 Overview
CVE-2024-51996 is an authentication bypass vulnerability in the Symfony PHP framework's Security HTTP component. When consuming a persisted remember-me cookie, Symfony does not check whether the username persisted in the database matches the username attached to the cookie. An attacker who controls a valid remember-me series token can authenticate as a different user, bypassing identity verification. The flaw is tracked as [CWE-287] Improper Authentication. Fixed releases are 5.4.47, 6.4.15, and 7.1.8.
Critical Impact
Attackers leveraging a persisted remember-me token can impersonate other application users without valid credentials, undermining session authentication across Symfony-based web applications.
Affected Products
- Symfony Security HTTP component versions prior to 5.4.47
- Symfony Security HTTP component 6.x versions prior to 6.4.15
- Symfony Security HTTP component 7.x versions prior to 7.1.8
Discovery Timeline
- 2024-11-13 - CVE-2024-51996 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-51996
Vulnerability Analysis
The vulnerability resides in PersistentRememberMeHandler::processRememberMe() within the Symfony Security HTTP component. Symfony's remember-me feature issues a cookie containing a series identifier and a token value. The handler loads the persisted token row from storage using the series identifier and validates the token value. However, before the patch, the handler never compared the user identifier and user class stored in the database with the values carried by the cookie. An attacker holding a legitimately issued series and token could craft a cookie with an arbitrary userIdentifier and userFqcn, and Symfony would authenticate the request as that arbitrary user.
Root Cause
The owner of the persisted token was never verified against the identity claimed by the cookie. Authentication relied solely on series and token value matching, treating the rest of the cookie payload as trusted input. This violates the principle that data carried by client-controlled cookies must never be used to assign identity without server-side cross-checking.
Attack Vector
Exploitation is network-based and requires no privileges or user interaction beyond obtaining a valid persisted remember-me cookie issued by the target application. An attacker who can mint a remember-me cookie under their own account, then substitute the embedded user identifier with that of a victim, will be authenticated as the victim on the next request that triggers the remember-me handler.
throw new AuthenticationException('The cookie is incorrectly formatted.');
}
- [$series, $tokenValue] = explode(':', $rememberMeDetails->getValue());
+ [$series, $tokenValue] = explode(':', $rememberMeDetails->getValue(), 2);
$persistentToken = $this->tokenProvider->loadTokenBySeries($series);
+ if ($persistentToken->getUserIdentifier() !== $rememberMeDetails->getUserIdentifier() || $persistentToken->getClass() !== $rememberMeDetails->getUserFqcn()) {
+ throw new AuthenticationException('The cookie\'s hash is invalid.');
+ }
+
+ // content of $rememberMeDetails is not trustable. this prevents use of this class
+ unset($rememberMeDetails);
+
if ($this->tokenVerifier) {
$isTokenValid = $this->tokenVerifier->verifyToken($persistentToken, $tokenValue);
} else {
Source: Symfony security patch commit 81354d3
Detection Methods for CVE-2024-51996
Indicators of Compromise
- Authentication events where the session user identifier does not match prior login activity originating from the same remember-me series.
- Multiple successful remember-me authentications referencing the same series identifier but resolving to different user accounts.
- Application logs showing PersistentRememberMeHandler consuming cookies followed by unexpected privilege actions.
Detection Strategies
- Audit Symfony application logs for remember-me authentications and correlate the resolved user identifier with the user identifier embedded in the inbound cookie.
- Inventory deployed Symfony installations and flag versions older than 5.4.47, 6.4.15, or 7.1.8.
- Inspect Composer lock files in source control and CI pipelines for vulnerable symfony/security-http versions.
Monitoring Recommendations
- Enable verbose authentication logging in the Symfony security firewall and ship logs to a centralized analytics platform.
- Alert on anomalous account access patterns such as a single client IP authenticating as multiple distinct user identifiers in a short window.
- Track changes to the rememberme_token storage table for unexpected reuse of series values across accounts.
How to Mitigate CVE-2024-51996
Immediate Actions Required
- Upgrade symfony/security-http to 5.4.47, 6.4.15, or 7.1.8 depending on the supported branch.
- Invalidate all existing persisted remember-me tokens after upgrade to force re-issuance under the patched code path.
- Review authentication and account activity logs for impersonation indicators dating back to the introduction of the persistent remember-me handler.
Patch Information
The fix was applied in commit 81354d392c5f0b7a52bcbd729d6f82501e94135a. The patched handler now compares both getUserIdentifier() and getClass() from the persisted token against the values carried by the cookie and throws AuthenticationException on mismatch. Details are documented in the Symfony GHSA-cg23-qf8f-62rr advisory.
Workarounds
- Disable the remember-me feature in the Symfony security firewall configuration until the upgrade is deployed.
- Switch from PersistentRememberMeHandler to the signature-based remember-me handler if persistent token storage is not required.
- Truncate the rememberme_token table to invalidate all outstanding persisted cookies.
# composer.json - constrain to patched versions
composer require symfony/security-http:^7.1.8
# or for the 6.4 LTS branch
composer require symfony/security-http:^6.4.15
# or for the 5.4 LTS branch
composer require symfony/security-http:^5.4.47
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
