{"api_version":"1","generated_at":"2026-04-30T16:03:08+00:00","cve":"CVE-2019-11325","urls":{"html":"https://cve.report/CVE-2019-11325","api":"https://cve.report/api/cve/CVE-2019-11325.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-11325","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-11325"},"summary":{"title":"CVE-2019-11325","description":"An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-11-21 23:15:00","updated_at":"2020-08-24 17:37:00"},"problem_types":["CWE-116"],"metrics":[],"references":[{"url":"https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3","name":"https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Comparing d8bf442...57e00f3 · symfony/var-exporter · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/symfony/symfony/releases/tag/v4.3.8","name":"https://github.com/symfony/symfony/releases/tag/v4.3.8","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release v4.3.8 · symfony/symfony · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://symfony.com/blog/symfony-4-3-8-released","name":"https://symfony.com/blog/symfony-4-3-8-released","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"Symfony 4.3.8 released (Symfony Blog)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter","name":"https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"CVE-2019-11325: Fix escaping of strings in VarExporter (Symfony Blog)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-11325","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11325","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"11325","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sensiolabs","cpe5":"symfony","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11325","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sensiolabs","cpe5":"symfony","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-11325","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3","refsource":"MISC","name":"https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3"},{"refsource":"CONFIRM","name":"https://symfony.com/blog/symfony-4-3-8-released","url":"https://symfony.com/blog/symfony-4-3-8-released"},{"refsource":"CONFIRM","name":"https://github.com/symfony/symfony/releases/tag/v4.3.8","url":"https://github.com/symfony/symfony/releases/tag/v4.3.8"},{"refsource":"CONFIRM","name":"https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter","url":"https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter"}]}},"nvd":{"publishedDate":"2019-11-21 23:15:00","lastModifiedDate":"2020-08-24 17:37:00","problem_types":["CWE-116"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3.0","versionEndExcluding":"4.3.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"11325","Ordinal":"149613","Title":"CVE-2019-11325","CVE":"CVE-2019-11325","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"11325","Ordinal":"1","NoteData":"An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"11325","Ordinal":"2","NoteData":"2019-11-21","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"11325","Ordinal":"3","NoteData":"2019-11-21","Type":"Other","Title":"Modified"}]}}}