CVE-2019-10910: Symfony Service IDs Allow Injection

November 18, 2019 (updated May 29, 2025)

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

References

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dependency-injection/CVE-2019-10910.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/proxy-manager-bridge/CVE-2019-10910.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10910.yaml
github.com/advisories/GHSA-pgwj-prpq-jpc2
github.com/symfony/symfony
github.com/symfony/symfony/commit/3876c75f858d5d82e2c309698d21af2f1d721afb
github.com/symfony/symfony/commit/4c80c3444854ef384df94deb4acbcef4b5e5243b
github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b
nvd.nist.gov/vuln/detail/CVE-2019-10910
symfony.com/blog/cve-2019-10910-check-service-ids-are-valid
symfony.com/cve-2019-10910
www.synology.com/security/advisory/Synology_SA_19_19

Code Behaviors & Features

Detect and mitigate CVE-2019-10910 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →