Update dependency symfony/http-kernel to v8.0.12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/http-kernel (source)	8.0.0 → 8.0.12

---

Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

CVE-2026-45075 / GHSA-6439-2f28-8p8q

More information

Details

Description

Symfony's #[IsGranted('...')], #[IsSignatureValid], and #[IsCsrfTokenValid(...)] attributes allow you to define a methods: [...] argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: ['GET'] would be ignored for a HEAD request.

On the other hand, Symfony's router (and HTTP semantics generally) serves HEAD requests using the GET handler. Therefore, a controller protected by e.g. #[IsGranted('ROLE_ADMIN', methods: ['GET'])] can be reached via HEAD with the authorization check silently skipped.

Even if the HEAD request won't get any response content, response headers leak (Content-Length, Location, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur.

Resolution

When adding GET in the methods option of these attributes, Symfony now also include the HEAD method automatically.

The patch for this issue is available here for branch 7.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.

Severity

• CVSS Score: 6.2 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/symfony/symfony/security/advisories/GHSA-6439-2f28-8p8q
• https://github.com/symfony/symfony/commit/fa8d5c67aa4b22c9656e3fd7d5c3aa59865bf838
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2026-45075.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45075.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45075.yaml
• https://symfony.com/cve-2026-45075
• https://github.com/advisories/GHSA-6439-2f28-8p8q

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

symfony/http-kernel (symfony/http-kernel)

v8.0.12

Compare Source

Changelog (symfony/http-kernel@v8.0.11...v8.0.12)

• data #​64306 Release v8.0.12
• data #​64303 Release v6.4.40
• bug #​64214 Preserve named-attribute override on Request/Session value resolvers (@​nicolas-grekas)
• security #cve-2026-45075 Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@​nicolas-grekas)
• data #​64201 Release v7.4.11
• data #​64200 Release v6.4.39

v8.0.11

Compare Source

Changelog (symfony/http-kernel@v8.0.10...v8.0.11)

• data #​64202 Release v8.0.11
• bug #​64150 Use backend-handled request for terminate listeners in HttpCache (@​Toflar)
• data #​64146 Release v6.4.38
• data #​64144 Release v7.4.10

v8.0.10

Compare Source

Changelog (symfony/http-kernel@v8.0.8...v8.0.10)

• data #​64145 Release v8.0.10

v8.0.8

Compare Source

Changelog (symfony/http-kernel@v8.0.7...v8.0.8)

• bug #​63724 Fix allowing invalid # references in controller arguments (@​valtzu)
• bug #​63676 Reset router locale to default when finishing main request (@​guillaumeVDP)
• bug #​63616 Set propertyPath on MapUploadedFile validation violations (@​eyupcanakman)

v8.0.7

Compare Source

Changelog (symfony/http-kernel@v8.0.6...v8.0.7)

• bug #​63555 Fix int-to-float coercion for JSON # with pre-parsed array data (@​eyupcanakman)

v8.0.6

Compare Source

Changelog (symfony/http-kernel@v8.0.5...v8.0.6)

• bug #​54703 Fix default locale ignored when Accept-Language has no enabled-locale match (@​karimmorel)
• bug #​63428 Fix handling of constructor enum denormalization errors (@​vvaswani)
• bug #​63386 Handle invalid backed-enum values gracefully in RequestPayloadValueResolver (@​nicolas-grekas)
• bug #​63363 Fix variadic argument handling with # (@​nicolas-grekas)
• bug #​63260 Fix handling empty MapUploadedFile arrays (@​nicolas-grekas)
• bug #​63238 Fall back to 0 when getCode() does not provide an integer (@​makomweb)
• bug #​63234 Fix parsing Target attributes on properties and on controllers (@​nicolas-grekas)

v8.0.5

Compare Source

Changelog (symfony/http-kernel@v8.0.4...v8.0.5)

• no significant changes

v8.0.4

Compare Source

Changelog (symfony/http-kernel@v8.0.3...v8.0.4)

• bug #​62848 Fix using HTTP Cache in worker mode (@​nicolas-grekas, @​stakovicz)

v8.0.3

Compare Source

Changelog (symfony/http-kernel@v8.0.2...v8.0.3)

• no significant changes

v8.0.2

Compare Source

Changelog (symfony/http-kernel@v8.0.1...v8.0.2)

• no significant changes

v8.0.1

Compare Source

Changelog (symfony/http-kernel@v8.0.0...v8.0.1)

• bug symfony/symfony#62488 [HttpKernel] Make #[Cache] respect all explicit cache directives set in controller (@​ayyoub-afwallah)
• bug symfony/symfony#62535 [HttpKernel] Don't reset services between fragments redering when using in HttpCache (@​nicolas-grekas)

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks