CVE-2021-41270

MEDIUM
Published Nov 24, 20214y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Nov 24, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-1236

Affected Products 4

VendorProductVersionRange
sensiolabssymfony*≥4.1.0  –  <4.4.35
sensiolabssymfony*≥5.0.0  –  <5.3.12
fedoraprojectfedora34any
fedoraprojectfedora35any

References 6

  • github.com https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
    PatchThird Party Advisory
  • github.com https://github.com/symfony/symfony/pull/44243
    PatchThird Party Advisory
  • github.com https://github.com/symfony/symfony/releases/tag/v5.3.12
    Release NotesThird Party Advisory
  • github.com https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
    PatchThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/

Remediation

  • github.com https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
    PatchThird Party Advisory
  • github.com https://github.com/symfony/symfony/pull/44243
    PatchThird Party Advisory
  • github.com https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
    PatchThird Party Advisory