Deserialization of Untrusted Data
CVE-2026-45077
Summary
`Symfony\Bridge\Monolog\Command\ServerLogCommand` (the `server:log` console command) is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP object-deserialization sink: 1. The listener binds to 0.0.0.0:9911 by default; it accepts connections on every interface, not only loopback. 2. Each received frame is processed as unserialize(base64_decode($message)) without an allowed_classes allowlist, without authentication, and without any integrity check. The decoded value is then passed to displayLog(..., array $record), which assumes (without validating) that the result is an array. The affected versions in 'symfony/monolog-bridge' and 'symfony/symfony' are prior to 5.4.52, 6.0.0 prior to 6.4.40, 7.0.0 prior to 7.4.12 and 8.0.0 prior to 8.0.12.
CWE-502 - Deserialization of Untrusted Data
Deserialization of untrusted data vulnerabilities enable an attacker to replace or manipulate a serialized object, replacing it with malicious data. When the object is deserialized at the victim's end the malicious data is able to compromise the victim’s system. The exploit can be devastating, its impact may range from privilege escalation, broken access control, or denial of service attacks to allowing unauthorized access to the application's internal code and logic which can compromise the entire system.
References
Advisory Timeline
- Published
