CVE-2024-28861 – CVE-2024-28861 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2024-28861?

CVE-2024-28861 has a CVSS score of 9.8 (CRITICAL). CVE-2024-28861 is a remote code execution vulnerability in Symfony 1 framework due to unsafe deserialization in the sfNamespacedParameterHolder class. Attackers can exploit this if developers deserialize untrusted user input, potentially leading to complete system compromise. All Symfony 1 installations from version 1.1.0 through 1.5.18 are affected.

📋 TL;DR

CVE-2024-28861 is a remote code execution vulnerability in Symfony 1 framework due to unsafe deserialization in the sfNamespacedParameterHolder class. Attackers can exploit this if developers deserialize untrusted user input, potentially leading to complete system compromise. All Symfony 1 installations from version 1.1.0 through 1.5.18 are affected.

💻 Affected Systems

Products:

Symfony 1

Versions: 1.1.0 through 1.5.18

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires that the application deserializes user input using the affected sfNamespacedParameterHolder class.

📦 What is this software?

Symfony1 by Friendsofsymfony1

View all CVEs affecting Symfony1 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to execute arbitrary commands, install malware, or pivot to other systems.

🟢

If Mitigated

No impact if proper input validation and deserialization controls are implemented.

🌐 Internet-Facing: HIGH - Web applications using Symfony 1 are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires finding deserialization points in the application, but the gadget chain is publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.19

Vendor Advisory: https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433

Restart Required: Yes

Instructions:

1. Update Symfony 1 to version 1.5.19 or later. 2. Replace the symfony1 directory with the patched version. 3. Restart your web server (Apache/Nginx) and PHP-FPM if applicable.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to prevent deserialization of untrusted data.

Disable Dangerous Deserialization

all

Review and remove any code that deserializes user input using sfNamespacedParameterHolder.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block deserialization attempts
Isolate affected systems from critical network segments and implement strict network segmentation

🔍 How to Verify

Check if Vulnerable:

Check your Symfony 1 version by examining the lib/vendor/symfony/VERSION file or using composer show symfony1/symfony1 if installed via Composer.

Check Version:

cat lib/vendor/symfony/VERSION

Verify Fix Applied:

Verify the version is 1.5.19 or higher and check that the commit 0bd9d59c69221f49bfc8be8b871b79e12d7d171a is present in your codebase.

📡 Detection & Monitoring

Log Indicators:

Unusual PHP process execution patterns
Deserialization errors in application logs
Suspicious POST requests with serialized data

Network Indicators:

HTTP requests containing serialized PHP objects in parameters
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND ("sfNamespacedParameterHolder" OR "unserialize" OR "__destruct" OR "__wakeup")

📊 Metadata

CVE ID: CVE-2024-28861

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: March 22, 2024

Last Updated: December 5, 2025

🔗 References

https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a Patch
https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433 Exploit,Mitigation,Vendor Advisory
https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a Patch
https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28861, you might also want to check these: