Cyber Resilience

CVE-2024-50340

High

Published: 06 November 2024

Published
06 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.8662 99.4th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50340 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Symfony/runtime, a component of the Symfony PHP framework that decouples applications from global state, contains an injection vulnerability (CWE-74) when the PHP directive register_argv_argc is enabled. An attacker supplying a specially crafted query string can alter the environment variables or debug mode passed to the application kernel during request handling. The issue affects Symfony versions prior to 5.4.46, 6.4.14, and 7.1.7.

Unauthenticated remote attackers can exploit the flaw over the network simply by accessing any URL with a malicious query string, achieving limited control over the runtime context without requiring authentication or user interaction. This can result in changes to application behavior that affect confidentiality, integrity, and availability, consistent with the CVSS 7.3 rating.

The Symfony security advisory and associated commit state that SymfonyRuntime now explicitly ignores argv values for non-SAPI PHP runtimes in the fixed releases. No workarounds are known, and all users are advised to upgrade immediately.

The EPSS score currently stands at 0.8662 with a recorded peak of 0.8902, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are…

more

able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References