CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request

Description

When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks.

In Symfony 5.2, we've added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix HTTP header, leading to a web cache poisoning issue.

Resolution

Symfony now ensures that the X-Forwarded-Prefix HTTP header is not forwarded to sub-requests when it is not trusted.

The patch for this issue is available here for branch 5.3.

Credits

We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41267-webcache-poisoning-via-x-forwarded-prefix-and-sub-request?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Létrehozva 4y | 2021. nov. 24. 9:20:08

Jelentkezéshez jelentkezzen be

EGYÉB POSTS Ebben a csoportban

New in Symfony 7.3: Routing Improvements

The Routing component provides an impressive list of features to map incoming URLs to your application code. Symfony 7.3 pushes it even further with a set of new features that improve developer experi

2025. máj. 21. 11:10:07 | Symfony

New in Symfony 7.3: JsonStreamer Component

Contributed by Mathias Arlaud in

2025. máj. 20. 9:30:13 | Symfony

Symfony UX CVE-2025-47946: Unsanitized HTML attribute injection via ComponentAttributes

Affected versions

Symfony UX symfony/ux-live-component and symfony/ux-twig-component versions <2.25.1 are affected by this security issue.

The issue has been fixed in the 2.25.1 version of these

2025. máj. 19. 12:40:14 | Symfony

New in Symfony 7.3: Yaml Improvements

Symfony has been reducing the need for configuration in applications for several years now. Thanks to PHP attributes, you can now configure most things alongside the relevant code, removing the need f

2025. máj. 19. 8:10:09 | Symfony

A Week of Symfony #959 (May 12–18, 2025)

This week, development activity focused on polishing Symfony 7.3 ahead of its final release in two weeks. We also continued publishing articles highlighting the new features of Symfony 7.3 and shared

2025. máj. 18. 8:50:08 | Symfony

SymfonyOnline June 2025: Keynote “Symfony in 2025, Scaling to Zero.”

SymfonyOnline June 2025 is almost here, starting in a few weeks on:

June 10-11: Workshop days. June 12-13: Online conference days in English. All talks will be available for replay as soon as

2025. máj. 16. 15:10:26 | Symfony

New in Symfony 7.3: Dependency Injection Improvements

Symfony 7.3 introduces several enhancements to the DependencyInjection component that simplify service configuration, make autoconfiguration more flexible, and enable environment-specific aliasing.

2025. máj. 16. 8:10:11 | Symfony

Techie