CVE-2026-24739 – This vulnerability in Symfony's Process compone... (How to Fix)

Q: What is the severity of CVE-2026-24739?

CVE-2026-24739 has a CVSS score of 6.3 (MEDIUM). This vulnerability in Symfony's Process component on Windows allows argument corruption when spawning native executables from MSYS2-based shells like Git Bash. It affects applications that use Symfony Process with user-controlled paths containing '=' characters, potentially leading to unintended file operations including data deletion. Systems running affected Symfony versions on Windows with MSYS2 environments are at risk.

📋 TL;DR

This vulnerability in Symfony's Process component on Windows allows argument corruption when spawning native executables from MSYS2-based shells like Git Bash. It affects applications that use Symfony Process with user-controlled paths containing '=' characters, potentially leading to unintended file operations including data deletion. Systems running affected Symfony versions on Windows with MSYS2 environments are at risk.

💻 Affected Systems

Products:

Symfony Process component

Versions: All versions prior to 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5

Operating Systems: Windows with MSYS2-based shells (Git Bash, MSYS2)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when PHP runs from MSYS2 shells and spawns native Windows executables with path arguments containing '='

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete deletion of directory contents or drive data when file-management commands receive corrupted path arguments

🟠

Likely Case

File corruption or unintended file operations on specific paths containing '=' characters

🟢

If Mitigated

No impact if not using MSYS2 shells or if paths don't contain special characters

🌐 Internet-Facing: LOW - Requires specific Windows/MSYS2 environment and user-controlled path input

🏢 Internal Only: MEDIUM - Development environments and CI/CD pipelines using Git Bash on Windows could be affected

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires specific environment setup and ability to influence path arguments passed to Symfony Process

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.51, 6.4.33, 7.3.11, 7.4.5, or 8.0.5 depending on Symfony version

Vendor Advisory: https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6

Restart Required: No

Instructions:

1. Identify your Symfony version. 2. Update to patched version via composer: 'composer update symfony/process'. 3. Verify update with 'composer show symfony/process'

🔧 Temporary Workarounds

Avoid MSYS2 shells

windows

Run PHP and tooling from cmd.exe or PowerShell instead of Git Bash/MSYS2

Configure MSYS2 argument conversion

windows

Set environment variable to exclude argument conversion for specific commands

set MSYS2_ARG_CONV_EXCL=*

Avoid special characters in paths

windows

Ensure paths passed to Symfony Process don't contain '=' or other MSYS2-sensitive characters

🧯 If You Can't Patch

Switch to cmd.exe or PowerShell for all Symfony Process operations
Implement input validation to reject paths containing '=' characters

🔍 How to Verify

Check if Vulnerable:

Check if running Symfony Process on Windows from Git Bash/MSYS2 with version below patched releases

Check Version:

composer show symfony/process | grep versions

Verify Fix Applied:

Verify Symfony Process version is 5.4.51+, 6.4.33+, 7.3.11+, 7.4.5+, or 8.0.5+

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion logs
Process execution errors with path arguments containing '='

SIEM Query:

Process execution where command contains 'rmdir', 'del', or similar with paths containing '=' characters on Windows systems

📊 Metadata

CVE ID: CVE-2026-24739

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE: CWE-88

EPSS Score: 0.01% exploit probability (0.3th percentile)

Published: January 28, 2026

Last Updated: February 2, 2026

🔗 References

https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3 Patch
https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b Patch
https://github.com/symfony/symfony/issues/62921 Exploit,Issue Tracking,Patch
https://github.com/symfony/symfony/pull/63164 Issue Tracking
https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24739, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Symfony by Sensiolabs

Symfony by Sensiolabs

Symfony by Sensiolabs

Symfony by Sensiolabs

Symfony by Sensiolabs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Avoid MSYS2 shells

Configure MSYS2 argument conversion

Avoid special characters in paths

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities