fix(deps): update dependency symfony/process to 6.4.* [security] #11

Merged
jank merged 1 commit from renovate/packagist-symfony-process-vulnerability into main 2025-08-21 09:46:11 +00:00
Collaborator

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
symfony/process (source) 6.3.* -> 6.4.* age adoption passing confidence

Symfony vulnerable to command execution hijack on Windows with Process class

CVE-2024-51736 / GHSA-qq5c-677p-737q

More information

Details

Description

On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.

Resolution

The Process class now uses the absolute path to cmd.exe.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

symfony/process (symfony/process)

v6.4.14

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.13...v6.4.14)

v6.4.13

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.12...v6.4.13)

  • no significant changes

v6.4.12

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.11...v6.4.12)

v6.4.8

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.7...v6.4.8)

v6.4.7

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.6...v6.4.7)

  • no significant changes

v6.4.4

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.3...v6.4.4)

v6.4.3

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.2...v6.4.3)

v6.4.2

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.1...v6.4.2)

v6.4.0

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.4.0-RC2...v6.4.0)

  • no significant changes

v6.3.12

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.3.11...v6.3.12)

v6.3.11

Compare Source

Changelog (https://github.com/symfony/process/compare/v6.3.10...v6.3.11)


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [symfony/process](https://symfony.com) ([source](https://github.com/symfony/process)) | `6.3.*` -> `6.4.*` | [![age](https://developer.mend.io/api/mc/badges/age/packagist/symfony%2fprocess/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/packagist/symfony%2fprocess/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/packagist/symfony%2fprocess/6.3.4/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/packagist/symfony%2fprocess/6.3.4/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Symfony vulnerable to command execution hijack on Windows with Process class [CVE-2024-51736](https://nvd.nist.gov/vuln/detail/CVE-2024-51736) / [GHSA-qq5c-677p-737q](https://github.com/advisories/GHSA-qq5c-677p-737q) <details> <summary>More information</summary> #### Details ##### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ##### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ##### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix. #### Severity - CVSS Score: 8.4 / 10 (High) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q](https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q) - [https://nvd.nist.gov/vuln/detail/CVE-2024-51736](https://nvd.nist.gov/vuln/detail/CVE-2024-51736) - [https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml) - [https://github.com/symfony/symfony](https://github.com/symfony/symfony) - [https://symfony.com/cve-2024-51736](https://symfony.com/cve-2024-51736) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qq5c-677p-737q) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>symfony/process (symfony/process)</summary> ### [`v6.4.14`](https://github.com/symfony/process/releases/tag/v6.4.14) [Compare Source](https://github.com/symfony/process/compare/v6.4.13...v6.4.14) **Changelog** (<https://github.com/symfony/process/compare/v6.4.13...v6.4.14>) - security symfony/symfony#cve-2024-51736 \[Process] Use PATH before CD to load the shell on Windows ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#58752](https://github.com/symfony/symfony/issues/58752) \[Process] Fix escaping /X arguments on Windows ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#58735](https://github.com/symfony/symfony/issues/58735) \[Process] Return built-in cmd.exe commands directly in ExecutableFinder ([@&#8203;Seldaek](https://github.com/Seldaek)) - bug [symfony/symfony#58723](https://github.com/symfony/symfony/issues/58723) \[Process] Properly deal with not-found executables on Windows ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#58711](https://github.com/symfony/symfony/issues/58711) \[Process] Fix handling empty path found in the PATH env var with ExecutableFinder ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.13`](https://github.com/symfony/process/releases/tag/v6.4.13) [Compare Source](https://github.com/symfony/process/compare/v6.4.12...v6.4.13) **Changelog** (<https://github.com/symfony/process/compare/v6.4.12...v6.4.13>) - no significant changes ### [`v6.4.12`](https://github.com/symfony/process/releases/tag/v6.4.12) [Compare Source](https://github.com/symfony/process/compare/v6.4.8...v6.4.12) **Changelog** (<https://github.com/symfony/process/compare/v6.4.11...v6.4.12>) - bug [symfony/symfony#58291](https://github.com/symfony/symfony/issues/58291) \[Process] Fix finding executables independently of open\_basedir ([@&#8203;BlackbitDevs](https://github.com/BlackbitDevs)) - bug [symfony/symfony#58195](https://github.com/symfony/symfony/issues/58195) \[Process] Fix the removal of host-specific configuration when managing the ini settings in `PhpSubprocess` ([@&#8203;M-arcus](https://github.com/M-arcus)) ### [`v6.4.8`](https://github.com/symfony/process/releases/tag/v6.4.8) [Compare Source](https://github.com/symfony/process/compare/v6.4.7...v6.4.8) **Changelog** (<https://github.com/symfony/process/compare/v6.4.7...v6.4.8>) - bug [symfony/symfony#54863](https://github.com/symfony/symfony/issues/54863) \[Process] Return `false` when `open_basedir` prevents access to `/dev/tty` ([@&#8203;mjauvin](https://github.com/mjauvin)) ### [`v6.4.7`](https://github.com/symfony/process/releases/tag/v6.4.7) [Compare Source](https://github.com/symfony/process/compare/v6.4.4...v6.4.7) **Changelog** (<https://github.com/symfony/process/compare/v6.4.6...v6.4.7>) - no significant changes ### [`v6.4.4`](https://github.com/symfony/process/releases/tag/v6.4.4) [Compare Source](https://github.com/symfony/process/compare/v6.4.3...v6.4.4) **Changelog** (<https://github.com/symfony/process/compare/v6.4.3...v6.4.4>) - bug [symfony/symfony#54006](https://github.com/symfony/symfony/issues/54006) \[Process] Fix the `command -v` exception ([@&#8203;kayw-geek](https://github.com/kayw-geek)) - bug [symfony/symfony#53821](https://github.com/symfony/symfony/issues/53821) \[Process] Fix Inconsistent Exit Status in proc\_get\_status for PHP Versions Below 8.3 ([@&#8203;Luc45](https://github.com/Luc45)) ### [`v6.4.3`](https://github.com/symfony/process/releases/tag/v6.4.3) [Compare Source](https://github.com/symfony/process/compare/v6.4.2...v6.4.3) **Changelog** (<https://github.com/symfony/process/compare/v6.4.2...v6.4.3>) - bug [symfony/symfony#53481](https://github.com/symfony/symfony/issues/53481) \[Process] Fix executable finder when the command starts with a dash ([@&#8203;kayw-geek](https://github.com/kayw-geek)) ### [`v6.4.2`](https://github.com/symfony/process/releases/tag/v6.4.2) [Compare Source](https://github.com/symfony/process/compare/v6.4.0...v6.4.2) **Changelog** (<https://github.com/symfony/process/compare/v6.4.1...v6.4.2>) - bug [symfony/symfony#52864](https://github.com/symfony/symfony/issues/52864) \[HttpClient]\[Mailer]\[Process] always pass microseconds to usleep as integers ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.4.0`](https://github.com/symfony/process/releases/tag/v6.4.0) [Compare Source](https://github.com/symfony/process/compare/v6.3.12...v6.4.0) **Changelog** (<https://github.com/symfony/process/compare/v6.4.0-RC2...v6.4.0>) - no significant changes ### [`v6.3.12`](https://github.com/symfony/process/releases/tag/v6.3.12) [Compare Source](https://github.com/symfony/process/compare/v6.3.11...v6.3.12) **Changelog** (<https://github.com/symfony/process/compare/v6.3.11...v6.3.12>) - bug [symfony/symfony#53481](https://github.com/symfony/symfony/issues/53481) \[Process] Fix executable finder when the command starts with a dash ([@&#8203;kayw-geek](https://github.com/kayw-geek)) ### [`v6.3.11`](https://github.com/symfony/process/releases/tag/v6.3.11) [Compare Source](https://github.com/symfony/process/compare/v6.3.4...v6.3.11) **Changelog** (<https://github.com/symfony/process/compare/v6.3.10...v6.3.11>) - bug [symfony/symfony#52864](https://github.com/symfony/symfony/issues/52864) \[HttpClient]\[Mailer]\[Process] always pass microseconds to usleep as integers ([@&#8203;xabbuh](https://github.com/xabbuh)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS40IiwidXBkYXRlZEluVmVyIjoiNDEuODEuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiJ3NlY3VyaXR5JyJdfQ==-->
Renovate force-pushed renovate/packagist-symfony-process-vulnerability from caed1de93a to dfb1ae9f14 2025-08-21 08:36:41 +00:00 Compare
Renovate force-pushed renovate/packagist-symfony-process-vulnerability from dfb1ae9f14 to 081343d0c4 2025-08-21 09:34:31 +00:00 Compare
jank merged commit 9cd84186b0 into main 2025-08-21 09:46:11 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jank/ventry#11
No description provided.