fix(deps): update dependency symfony/http-client to 6.4.* [security] #10

Merged
jank merged 1 commit from renovate/packagist-symfony-http-client-vulnerability into main 2025-08-21 09:11:21 +00:00
Collaborator

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
symfony/http-client (source) 6.3.* -> 6.4.* age adoption passing confidence

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient

CVE-2024-50342 / GHSA-9c3x-r3wp-mgxm

More information

Details

Description

When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

Resolution

The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.

The fisrt patch for this issue is available here for branch 5.4.

The second one is available here for branch 5.4 also.

Credits

We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

symfony/http-client (symfony/http-client)

v6.4.15

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.14...v6.4.15)

  • security symfony/symfony#cve-2024-50342 [HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient (@​nicolas-grekas)

v6.4.14

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.13...v6.4.14)

  • security symfony/symfony#cve-2024-50342 [HttpClient] Filter private IPs before connecting when Host == IP (@​nicolas-grekas)
  • bug symfony/symfony#58704 [HttpClient] fix for HttpClientDataCollector fails if proc_open is disabled via php.ini (@​ZaneCEO)

v6.4.13

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.12...v6.4.13)

  • no significant changes

v6.4.12

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.11...v6.4.12)

v6.4.11

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.10...v6.4.11)

v6.4.10

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.9...v6.4.10)

  • no significant changes

v6.4.9

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.8...v6.4.9)

v6.4.8

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.7...v6.4.8)

v6.4.7

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.6...v6.4.7)

v6.4.6

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.5...v6.4.6)

v6.4.5

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.4...v6.4.5)

v6.4.4

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.3...v6.4.4)

v6.4.3

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.2...v6.4.3)

v6.4.2

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.1...v6.4.2)

v6.4.0

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.0-RC2...v6.4.0)

  • no significant changes

v6.3.12

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.3.11...v6.3.12)

v6.3.11

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.3.10...v6.3.11)

v6.3.8

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.3.7...v6.3.8)


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [symfony/http-client](https://symfony.com) ([source](https://github.com/symfony/http-client)) | `6.3.*` -> `6.4.*` | [![age](https://developer.mend.io/api/mc/badges/age/packagist/symfony%2fhttp-client/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/packagist/symfony%2fhttp-client/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/packagist/symfony%2fhttp-client/6.3.7/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/packagist/symfony%2fhttp-client/6.3.7/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient [CVE-2024-50342](https://nvd.nist.gov/vuln/detail/CVE-2024-50342) / [GHSA-9c3x-r3wp-mgxm](https://github.com/advisories/GHSA-9c3x-r3wp-mgxm) <details> <summary>More information</summary> #### Details ##### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ##### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ##### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix. #### Severity - CVSS Score: 3.1 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm](https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm) - [https://nvd.nist.gov/vuln/detail/CVE-2024-50342](https://nvd.nist.gov/vuln/detail/CVE-2024-50342) - [https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml) - [https://github.com/symfony/symfony](https://github.com/symfony/symfony) - [https://symfony.com/cve-2024-50342](https://symfony.com/cve-2024-50342) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9c3x-r3wp-mgxm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>symfony/http-client (symfony/http-client)</summary> ### [`v6.4.15`](https://github.com/symfony/http-client/releases/tag/v6.4.15) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.14...v6.4.15) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.14...v6.4.15>) - security symfony/symfony#cve-2024-50342 \[HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.14`](https://github.com/symfony/http-client/releases/tag/v6.4.14) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.13...v6.4.14) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.13...v6.4.14>) - security symfony/symfony#cve-2024-50342 \[HttpClient] Filter private IPs before connecting when Host == IP ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#58704](https://github.com/symfony/symfony/issues/58704) \[HttpClient] fix for HttpClientDataCollector fails if proc\_open is disabled via php.ini ([@&#8203;ZaneCEO](https://github.com/ZaneCEO)) ### [`v6.4.13`](https://github.com/symfony/http-client/releases/tag/v6.4.13) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.12...v6.4.13) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.12...v6.4.13>) - no significant changes ### [`v6.4.12`](https://github.com/symfony/http-client/releases/tag/v6.4.12) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.11...v6.4.12) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.11...v6.4.12>) - bug [symfony/symfony#58278](https://github.com/symfony/symfony/issues/58278) \[HttpClient] Fix setting `CURLMOPT_MAXCONNECTS` ([@&#8203;HypeMC](https://github.com/HypeMC)) - bug [symfony/symfony#58218](https://github.com/symfony/symfony/issues/58218) Work around `parse_url()` bug ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.11`](https://github.com/symfony/http-client/releases/tag/v6.4.11) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.10...v6.4.11) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.10...v6.4.11>) - bug [symfony/symfony#58044](https://github.com/symfony/symfony/issues/58044) \[HttpClient] Do not overwrite the host to request when using option "resolve" ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#57981](https://github.com/symfony/symfony/issues/57981) \[HttpClient] reject malformed URLs with a meaningful exception ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#57870](https://github.com/symfony/symfony/issues/57870) \[HttpClient] Disable HTTP/2 PUSH by default when using curl ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.10`](https://github.com/symfony/http-client/releases/tag/v6.4.10) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.9...v6.4.10) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.9...v6.4.10>) - no significant changes ### [`v6.4.9`](https://github.com/symfony/http-client/releases/tag/v6.4.9) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.8...v6.4.9) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.8...v6.4.9>) - bug [symfony/symfony#57569](https://github.com/symfony/symfony/issues/57569) \[HttpClient]\[Mailer] Revert "Let curl handle transfer encoding", use HTTP/1.1 for Mailgun ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#57453](https://github.com/symfony/symfony/issues/57453) \[HttpClient] Fix parsing SSE ([@&#8203;fancyweb](https://github.com/fancyweb)) ### [`v6.4.8`](https://github.com/symfony/http-client/releases/tag/v6.4.8) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.7...v6.4.8) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.7...v6.4.8>) - bug [symfony/symfony#54860](https://github.com/symfony/symfony/issues/54860) \[HttpClient] Revert fixing curl default options ([@&#8203;alexandre-daubois](https://github.com/alexandre-daubois)) - bug [symfony/symfony#54830](https://github.com/symfony/symfony/issues/54830) \[HttpClient] Fix cURL default options for PHP 8.4 ([@&#8203;alexandre-daubois](https://github.com/alexandre-daubois)) ### [`v6.4.7`](https://github.com/symfony/http-client/releases/tag/v6.4.7) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.6...v6.4.7) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.6...v6.4.7>) - bug [symfony/symfony#54517](https://github.com/symfony/symfony/issues/54517) \[HttpClient] Let curl handle transfer encoding ([@&#8203;michaelhue](https://github.com/michaelhue)) - bug [symfony/symfony#54242](https://github.com/symfony/symfony/issues/54242) \[HttpClient] \[EventSourceHttpClient] Fix consuming SSEs with \r\n separator ([@&#8203;fancyweb](https://github.com/fancyweb)) ### [`v6.4.6`](https://github.com/symfony/http-client/releases/tag/v6.4.6) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.5...v6.4.6) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.5...v6.4.6>) - bug [symfony/symfony#54400](https://github.com/symfony/symfony/issues/54400) \[HttpClient] stop all server processes after tests have run ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#54207](https://github.com/symfony/symfony/issues/54207) \[HttpClient] Lazily initialize CurlClientState ([@&#8203;arjenm](https://github.com/arjenm)) - bug [symfony/symfony#54146](https://github.com/symfony/symfony/issues/54146) \[HttpClient] Preserve float in JsonMockResponse ([@&#8203;Jibbarth](https://github.com/Jibbarth)) ### [`v6.4.5`](https://github.com/symfony/http-client/releases/tag/v6.4.5) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.4...v6.4.5) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.4...v6.4.5>) - bug [symfony/symfony#54102](https://github.com/symfony/symfony/issues/54102) \[HttpClient] Fix deprecation on PHP 8.3 ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.4`](https://github.com/symfony/http-client/releases/tag/v6.4.4) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.3...v6.4.4) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.3...v6.4.4>) - bug [symfony/symfony#53889](https://github.com/symfony/symfony/issues/53889) \[HttpClient] Make retry strategy work again ([@&#8203;Nyholm](https://github.com/Nyholm)) ### [`v6.4.3`](https://github.com/symfony/http-client/releases/tag/v6.4.3) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.2...v6.4.3) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.2...v6.4.3>) - bug [symfony/symfony#53671](https://github.com/symfony/symfony/issues/53671) \[HttpClient] Fix pausing responses before they start when using curl ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#53506](https://github.com/symfony/symfony/issues/53506) \[HttpClient] Fix error chunk creation in passthru ([@&#8203;rmikalkenas](https://github.com/rmikalkenas)) ### [`v6.4.2`](https://github.com/symfony/http-client/releases/tag/v6.4.2) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.0...v6.4.2) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.1...v6.4.2>) - bug [symfony/symfony#52864](https://github.com/symfony/symfony/issues/52864) \[HttpClient]\[Mailer]\[Process] always pass microseconds to usleep as integers ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.4.0`](https://github.com/symfony/http-client/releases/tag/v6.4.0) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.12...v6.4.0) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.0-RC2...v6.4.0>) - no significant changes ### [`v6.3.12`](https://github.com/symfony/http-client/releases/tag/v6.3.12) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.11...v6.3.12) **Changelog** (<https://github.com/symfony/http-client/compare/v6.3.11...v6.3.12>) - bug [symfony/symfony#53671](https://github.com/symfony/symfony/issues/53671) \[HttpClient] Fix pausing responses before they start when using curl ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#53506](https://github.com/symfony/symfony/issues/53506) \[HttpClient] Fix error chunk creation in passthru ([@&#8203;rmikalkenas](https://github.com/rmikalkenas)) ### [`v6.3.11`](https://github.com/symfony/http-client/releases/tag/v6.3.11) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.8...v6.3.11) **Changelog** (<https://github.com/symfony/http-client/compare/v6.3.10...v6.3.11>) - bug [symfony/symfony#52864](https://github.com/symfony/symfony/issues/52864) \[HttpClient]\[Mailer]\[Process] always pass microseconds to usleep as integers ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.3.8`](https://github.com/symfony/http-client/releases/tag/v6.3.8) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.7...v6.3.8) **Changelog** (<https://github.com/symfony/http-client/compare/v6.3.7...v6.3.8>) - bug [symfony/symfony#52472](https://github.com/symfony/symfony/issues/52472) \[HttpClient]\[WebProfilerBundle] Do not generate cURL command when files are uploaded ([@&#8203;MatTheCat](https://github.com/MatTheCat)) - bug [symfony/symfony#52429](https://github.com/symfony/symfony/issues/52429) \[HttpClient] Replace `escapeshellarg` to prevent overpassing `ARG_MAX` ([@&#8203;alexandre-daubois](https://github.com/alexandre-daubois)) - bug [symfony/symfony#52442](https://github.com/symfony/symfony/issues/52442) Disable the "Copy as cURL" button when the debug info are disabled ([@&#8203;stof](https://github.com/stof)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS40IiwidXBkYXRlZEluVmVyIjoiNDEuODEuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiJ3NlY3VyaXR5JyJdfQ==-->
Renovate force-pushed renovate/packagist-symfony-http-client-vulnerability from c0406c3744 to e147d17147 2025-08-21 08:36:26 +00:00 Compare
jank merged commit f1264fc540 into main 2025-08-21 09:11:21 +00:00
jank deleted branch renovate/packagist-symfony-http-client-vulnerability 2025-08-21 09:11:22 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jank/ventry#10
No description provided.