CVE-2019-18887

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.

Published: Nov 21, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-18887
GHSA: GHSA-q8hg-pf8v-cxrv
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
sensiolabs / symfony	3.4.0	3.4.34.x
sensiolabs / symfony	4.2.0	4.2.11.x
sensiolabs / symfony	4.3.0	4.3.7.x
sensiolabs / symfony	2.8.0	2.8.50.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
symfony / http-kernel	2.2.0	2.8.52
symfony / http-kernel	3.0.0	3.4.35
symfony / http-kernel	4.0.0	4.2.12
symfony / http-kernel	4.3.0	4.3.8
symfony / symfony	2.2.0	2.8.52
symfony / symfony	3.0.0	3.4.35
symfony / symfony	4.0.0	4.2.12
symfony / symfony	4.3.0	4.3.8

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2019-18887.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18887.yaml
https://github.com/symfony/symfony/releases/tag/v4.3.8
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/
https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
https://symfony.com/blog/symfony-4-3-8-released
https://symfony.com/cve-2019-18887

Vulnerability Database

300,991

CVE-2019-18887

Deep Security Visibility Without the Complexity