{"id":"CVE-2021-41267","details":"Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the \"trusted_headers\" allowed list are ignored and protect users from \"Cache poisoning\" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the \"trusted_headers\" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted.","aliases":["BIT-symfony-2021-41267","GHSA-q3j3-w37x-hq2q"],"modified":"2026-04-10T04:38:26.115746Z","published":"2021-11-24T19:15:07.737Z","related":["GHSA-q3j3-w37x-hq2q"],"references":[{"type":"ADVISORY","url":"https://github.com/symfony/symfony/releases/tag/v5.3.12"},{"type":"FIX","url":"https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487"},{"type":"FIX","url":"https://github.com/symfony/symfony/pull/44243"},{"type":"FIX","url":"https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"8b51547061b29081803eb9fdf9b02cf80a1e1a74"},{"fixed":"256c34a45b79fdc6276a8c941a1656713ee1ffec"},{"fixed":"95dcf51682029e89450aee86267e3d553aa7c487"}],"database_specific":{"versions":[{"introduced":"5.2.0"},{"fixed":"5.3.12"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41267.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}