CVE-2024-50342

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b	Patch
https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sensiolabs:httpclient::::::::
	cpe:2.3:a:sensiolabs:httpclient::::::::
	cpe:2.3:a:sensiolabs:httpclient::::::::

History

No history.

Information

Published : 2024-11-06 21:15

Updated : 2026-01-12 17:45

NVD link : CVE-2024-50342

Mitre link : CVE-2024-50342

CVE.ORG link : CVE-2024-50342

JSON object : View

Products Affected

sensiolabs

httpclient

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2024-50342", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-11-06T21:15:05.963", "references": [{"url": "https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "symfony/http-client es un m\u00f3dulo para el framework PHP Symphony que proporciona m\u00e9todos potentes para obtener recursos HTTP de forma sincr\u00f3nica o asincr\u00f3nica. Al utilizar `NoPrivateNetworkHttpClient`, todav\u00eda se filtra cierta informaci\u00f3n interna durante la resoluci\u00f3n del host, lo que lleva a una posible enumeraci\u00f3n de IP/puerto. A partir de las versiones 5.4.46, 6.4.14 y 7.1.7, `NoPrivateNetworkHttpClient` ahora filtra las IP bloqueadas antes para evitar dichas filtraciones. Se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2026-01-12T17:45:24.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sensiolabs:httpclient:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DCD522A1-414A-4E9D-8CD3-1AF7381721D1", "versionEndExcluding": "5.4.46"}, {"criteria": "cpe:2.3:a:sensiolabs:httpclient:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3995A623-DA0E-45DC-8BB2-AC4FF8645E8F", "versionEndExcluding": "6.4.14", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:sensiolabs:httpclient:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "850FABC0-EBDC-46A8-92B2-2B73C1FDD7D6", "versionEndExcluding": "7.1.7", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}