CVE-2024-50342

unknown

Published 2024-11-06 · Modified 2026-02-03

CVSS v3

—

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2

—

VIR risk

—

Description

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-50342

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`5.4.23+dfsg-1+deb12u3`
debian	bullseye	fixed	`0`
debian	forky	fixed	`6.4.15+dfsg-1`
debian	sid	fixed	`6.4.15+dfsg-1`
debian	trixie	fixed	`6.4.15+dfsg-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	symfony/http-client	`>=4.3.0,<5.4.47`	`5.4.47`
Packagist	symfony/http-client	`>=6.0.0,<6.4.15`	`6.4.15`
Packagist	symfony/http-client	`>=7.0.0,<7.1.8`	`7.1.8`
Packagist	symfony/symfony	`>=4.3.0,<5.4.47`	`5.4.47`
Packagist	symfony/symfony	`>=6.0.0,<6.4.15`	`6.4.15`
Packagist	symfony/symfony	`>=7.0.0,<7.1.8`	`7.1.8`

References

Verify integrity in audit chain (admin only). AS-IS.