Skip to content

Commit 28ba6d7

Browse files
1 parent e882d9d commit 28ba6d7

1 file changed

Lines changed: 92 additions & 0 deletions

File tree

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2xf4-cg6j-vhgq",
4+
"modified": "2026-05-28T19:52:36Z",
5+
"published": "2026-05-28T19:52:36Z",
6+
"aliases": [
7+
"CVE-2026-46644"
8+
],
9+
"summary": "symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form",
10+
"details": "### Description\n\n`symfony/polyfill-intl-idn` provides a userland implementation of `idn_to_utf8()` and `idn_to_ascii()` for runtimes that lack the `intl` extension. Its `Idn::process()` method decodes labels prefixed with `xn--` using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point.\n\nAs a consequence, `xn--` labels whose Punycode payload is empty (`xn--`) or decodes to a string made of only ASCII code points (e.g. `xn--kc1zs4-`) are accepted by the polyfill while PHP's native `ext-intl` rejects them with `IDNA_ERROR_INVALID_ACE_LABEL`. Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224).\n\nExample with `IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII`:\n\n| Input | Polyfill output | Native `ext-intl` output |\n| --- | --- | --- |\n| `poc.xn--kc1zs4-.com` | `poc.kc1zs4.com` | `false` (`errors=1024`) |\n| `poc.kc1zs4.xn--` | `poc.kc1zs4.` | `false` (`errors=1024`) |\n\nApplications using the polyfill to canonicalise or compare hostnames inherit the inconsistency.\n\n### Resolution\n\n`Idn::process()` now records `IDNA_ERROR_INVALID_ACE_LABEL` when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native `ext-intl` behaviour and UTS #46 revision 33.\n\nThe patch for this issue is available [here](https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec) for branch 1.x.\n\n### Credits\n\nSymfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "symfony/polyfill"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.17.1"
29+
},
30+
{
31+
"fixed": "1.38.1"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "symfony/polyfill-intl-idn"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "1.17.1"
48+
},
49+
{
50+
"fixed": "1.38.1"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill-intl-idn/CVE-2026-46644.yaml"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill/CVE-2026-46644.yaml"
73+
},
74+
{
75+
"type": "PACKAGE",
76+
"url": "https://github.com/symfony/polyfill"
77+
},
78+
{
79+
"type": "WEB",
80+
"url": "https://symfony.com/cve-2026-46644"
81+
}
82+
],
83+
"database_specific": {
84+
"cwe_ids": [
85+
"CWE-1289"
86+
],
87+
"severity": "LOW",
88+
"github_reviewed": true,
89+
"github_reviewed_at": "2026-05-28T19:52:36Z",
90+
"nvd_published_at": null
91+
}
92+
}

0 commit comments

Comments
 (0)