Description "Symfony\Component\Cache\Adapter\PdoAdapter" is the PDO-backed cache adapter. Its "clear($prefix)" method (inherited from "AbstractAdapterTrait") is documented to delete cache items whose key starts with "$prefix". In the non-versioning code path, the caller-supplied "$prefix" is concatenated into "$namespace = $this->namespace.$prefix" and passed to "PdoAdapter::doClear()", which builds: DELETE FROM <table> WHERE <id_col> LIKE '<namespace>%' The value is interpolated directly into the SQL text and executed with "PDO::exec()": "$namespace" is not bound. A caller able to influence "$prefix" can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics. Most applications don't expose "clear($prefix)" to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself. Resolution "AbstractAdapterTrait::clear()" now rejects any "$prefix" containing characters outside "[-+.A-Za-z0-9]": when an invalid prefix is supplied, the method logs a warning and returns "false" instead of reaching the SQL layer. This blocks quotes, "%", null bytes and other characters that would let an attacker break out of the "LIKE" literal. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/ec50b799d79ebe24561f29351c1efcb6da95c9b1) for branch 5.4. Credits Symfony would like to thank secsys_codex for reporting the issue and Nicolas Grekas for fixing it.