CVE-2024-51736
Published:November 06, 2024
Updated:June 01, 2026
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Packages
symfony/process (PHP):
Affected version(s) >=v2.0.0 <v5.4.46Fix Suggestion:
Update to version v5.4.46symfony/symfony (PHP):
Affected version(s) >=dev-binary-options <v5.4.46Fix Suggestion:
Update to version v5.4.46symfony/process (PHP):
Affected version(s) >=v7.0.0 <v7.1.7Fix Suggestion:
Update to version v7.1.7symfony/symfony (PHP):
Affected version(s) >=v6.0.0 <v6.4.14Fix Suggestion:
Update to version v6.4.14symfony/process (PHP):
Affected version(s) >=v6.0.0 <v6.4.14Fix Suggestion:
Update to version v6.4.14symfony/symfony (PHP):
Affected version(s) >=v7.0.0 <v7.1.7Fix Suggestion:
Update to version v7.1.7Related Resources (8)
Do you need more information?
Contact UsWeakness Type (CWE)
Improper Neutralization of Special Elements used in a Command ('Command Injection')
EPSS
Base Score:
0.78