CVE-2026-55878
PHP Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-55878 is a path traversal vulnerability in the symfony/ux-toolkit Composer package that allows arbitrary file write and read via a crafted recipe manifest. The ux:install console command fails to properly validate paths in the copy-files map, enabling directory escape through .. segments. Affected versions are >=2.32.0, <2.36.1 (2.x branch) and >=3.0.0, <3.2.0 (3.x branch); patched versions are 2.36.1 and 3.2.0. It was disclosed on June 19, 2026, with a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Symfony Advisory).

Détails techniques

The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory — Path Traversal). The ux:install command's only path guard was Path::isRelative(), which incorrectly returns true for traversal sequences like ../../../etc; Path::join() then resolves the .. segments without restriction, allowing the final path to escape the intended recipe directory. Both the source and destination sides of the copy-files map are affected: the destination side enables arbitrary file writes (including silent overwrites with --force or in non-interactive CI environments), while the source side enables reads of arbitrary local files outside the recipe directory. The fix introduces an Assert::pathDoesNotEscapeDirectory() helper that rejects any path containing .. segments (using either / or \ as separators), enforced in both RecipeManifest and File, with a final check via Path::isBasePath() before each filesystem operation (GitHub Advisory, Symfony Advisory).

Impact

A successful exploit allows an attacker who controls or compromises a recipe kit to write attacker-controlled content to arbitrary locations on a developer's machine or CI runner — including overwriting controllers, git hooks, or .env files — which can lead to arbitrary code execution with the privileges of the developer or CI process. The source-side traversal additionally enables exfiltration of sensitive local files (e.g., credentials, private keys) outside the recipe directory. The combination of confidentiality, integrity, and availability impacts is rated High for all three dimensions, posing significant supply chain risk to affected development and CI/CD pipelines (GitHub Advisory, Feedly).

Étapes d’exploitation

  1. Craft a malicious recipe kit: Create or compromise a Symfony UX recipe kit and modify its manifest to include a copy-files map with path traversal sequences, e.g., "../../../tmp/evil.php": "../../../var/www/html/evil.php" as destination paths.
  2. Distribute the kit: Publish the malicious kit to a public or private package registry, or compromise an existing trusted kit repository to inject the malicious manifest.
  3. Trigger victim installation: Wait for or social-engineer a developer or CI pipeline to run php bin/console ux:install <malicious-kit> against the compromised kit, which requires no elevated privileges.
  4. Achieve arbitrary file write: The ux:install command processes the copy-files map; Path::isRelative() passes the traversal path, and Path::join() resolves .. segments, writing attacker-controlled content (e.g., a PHP web shell or malicious git hook) to the resolved out-of-bounds path.
  5. Achieve code execution: If a git hook (e.g., .git/hooks/pre-commit) or a web-accessible file was overwritten, trigger execution by committing code or making an HTTP request, gaining code execution with the privileges of the developer or CI runner (GitHub Advisory, Symfony Advisory).

Indicateurs de compromis

  • File System: Unexpected files created outside the project's recipe directory following a ux:install invocation; modified or newly created git hooks (e.g., .git/hooks/pre-commit, .git/hooks/post-merge); unexpected changes to .env, controller files, or other sensitive application files; new directories created in system paths (e.g., /tmp, /etc) by the PHP process.
  • Logs: Console/CI logs showing ux:install executed with an unfamiliar or external kit source; PHP error logs referencing unexpected file paths during recipe installation; filesystem audit logs (e.g., auditd) recording writes to paths outside the project root by the PHP process.
  • Process: PHP or Composer processes spawning unexpected child processes (e.g., shells, curl, wget) after a ux:install run; unusual network connections originating from the developer machine or CI runner shortly after kit installation.

Atténuation et solutions de contournement

Upgrade symfony/ux-toolkit to version 2.36.1 (for the 2.x branch) or 3.2.0 (for the 3.x branch), which introduce strict ..-segment rejection via Assert::pathDoesNotEscapeDirectory() (GitHub Advisory, Symfony Advisory). As a workaround prior to patching, restrict ux:install usage to recipe kits from fully trusted and audited sources only, and avoid running installations in non-interactive or --force modes. Consider running recipe installations in sandboxed or isolated environments (e.g., containers with limited filesystem access) to reduce the blast radius of a compromised kit.

Réactions de la communauté

The vulnerability was reported by Pascal Cescon and fixed by Hugo Alliaume, with Symfony publishing the advisory on June 19, 2026 (Symfony Advisory). A Reddit discussion appeared in the r/symfony community shortly after disclosure, reflecting community awareness of the supply chain risk posed by the vulnerability (Reddit). No significant broader media coverage or notable researcher commentary beyond the official advisory has been identified.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-55878HIGH7.8
  • PHP logoPHP
  • cpe:2.3:a:sensiolabs:symfony
NonOuiJul 08, 2026
CVE-2026-55877MEDIUM6.1
  • PHP logoPHP
  • composer://symfony/ux-icons
NonOuiJul 08, 2026
CVE-2026-48492MEDIUM4.9
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026
GHSA-gq4g-fpc9-vjfqLOW2.9
  • PHP logoPHP
  • web-auth/webauthn-lib
NonOuiJul 07, 2026
CVE-2026-55542LOW1.3
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités