CVE-2024-50342

low-risk

Published 2024-11-06

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Do I need to act?

0.50% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.1/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Httpclient

Affected Vendors

Sensiolabs

References (2)

Patch https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f...

Vendor Advisory https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm

/ 100

low-risk

Severity 11/34 · Low

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal