CVE-2020-5274

Exceptions displayed in non-debug configurations in Symfony

Description

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5

Category

4.6
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.27%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: symfony symfony
Published at:
Updated at:

References

Link Tags
https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2 third party advisory
https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db third party advisory patch
https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2020-5274?
CVE-2020-5274 has been scored as a medium severity vulnerability.
How to fix CVE-2020-5274?
To fix CVE-2020-5274, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-5274 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-5274 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-5274?
CVE-2020-5274 affects symfony symfony.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.