Description "Symfony\Bridge\Monolog\Command\ServerLogCommand" (the "server:log" console command) is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP object-deserialization sink: 1. The listener binds to "0.0.0.0:9911" by default; it accepts connections on every interface, not only loopback. 2. Each received frame is processed as "unserialize(base64_decode($message))" without an "allowed_classes" allowlist, without authentication, and without any integrity check. The decoded value is then passed to "displayLog(..., array $record)" which assumes (without validating) that the result is an array. Any host that can reach TCP port 9911 on a machine running "server:log" can therefore submit attacker-chosen serialized PHP payloads. The minimum impact is an unauthenticated denial of service (sending a non-array, e.g. "serialize(new stdClass())", crashes the listener with a type error). Object injection with magic-method side effects ("__wakeup()" / "__destruct()" / etc.) is reachable before the array type-check fires; full remote code execution is environment-dependent and contingent on usable gadget chains in the autoload set of the target process. Resolution The "server:log" command no longer binds to all interfaces by default: the default "--host" is now "127.0.0.1:9911", requiring explicit opt-in to accept off-host traffic. Message decoding is gated by an "unserialize()" allowlist restricted to the "Symfony\Component\VarDumper\Caster*" and "Symfony\Component\VarDumper\Cloner*" classes that legitimately appear inside dumped log records; any other class is rejected and the record discarded. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/0891b2f293896c488e26943dc034334364b77fc4) for branch 5.4. Credits Symfony would like to thank Toàn Thắng and Sam Sanoop for reporting the issue and Nicolas Grekas for fixing it.