Vulnerability in open source project has since been patched

Web cache poisoning bug discovered in Symfony PHP framework

The mishandling of HTTP headers left websites built on top of the Symfony platform vulnerable to web cache poisoning attacks.

Symfony, a popular PHP framework for web applications, is an open source project with more than 200 million historic downloads.

The platform was found to be vulnerable to web cache poisoning attacks, potentially exposing sensitive information such as users’ IP addresses.

Web cache poisoning attacks target the intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers.

BACKGROUND Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack

These servers usually help improve the performance of websites by storing local versions of web content to speed up their delivery to web clients.

Web cache poisoning attacks trick cache servers into storing harmful content and later deliver them to clients.

Load balancing headers

Now fixed, the bug was caused when a Symfony-based website was running behind a proxy or load-balancer. In such cases, developers can instruct Symfony to look for X-Forwarded-* headers, which provide extra information about the client such as the original IP address, protocol, and port.

Symfony uses a trusted_headers allowlist to restrict allowed headers and prevent web cache poisoning attacks. In version 5.2, the developers of Symfony added support for the X-Forwarded-Prefix header, which attaches information about the original path-base of the request.

Read more of the latest security vulnerability news

According to a GitHub advisory, the bug was in the sub-request feature, which allows developers to render and serve a small portion of a page instead of a full page.

The X-Forwarded-Prefix header was processed by ‘sub-requests’ even if it was not included in their trusted_headers list.

Malicious actors could leverage this bug to conduct web cache poisoning attacks by forging malicious sub-requests with the X-Forwarded-Prefix header and having them stored in cache servers.

The malicious snippets would later be served to other clients that made the same request.


At least one e-commerce platform based on Symfony has fixed a similar bug.

It’s not clear how many other websites have been affected, but given Symfony’s wide reach in the PHP web developer community, the impact could be far-reaching.

The Daily Swig has reached out to the maintainers of Symfony for comment. We will update this post if we receive further details on the bug.

RECOMMENDED Dozens of web apps vulnerable to DNS cache poisoning via ‘forgot password’ feature