CVE-2024-36610 Information

Description

A deserialization vulnerability exists in the Stub class of the VarDumper module in Symfony v7.0.3. The vulnerability stems from deficiencies in the original implementation when handling properties with null or uninitialized values. An attacker could construct specific serialized data and use this vulnerability to execute unauthorized code.

Reference

https://gist.github.com/1047524396/24e93f2905850235e42ad7db6e878bd5 https://github.com/symfony/symfony/blob/v7.0.3/src/Symfony/Component/VarDumper/Cloner/Stub.php#L53 https://github.com/symfony/symfony/commit/3ffd495bb3cc4d2e24e35b2d83c5b909cab7e259