Symfony Process Windows Argument Escaping Vulnerability Leading to Destructive File Operations

Vulnerability Key Information Title Incorrect argument escaping under MSYS2/Git Bash on Windows can lead to destructive file operations Severity Moderate CVSS v3 Score: 6.3/10 Affected Packages and Versions symfony/process (Composer) - Affected versions: =6.4, =7.3, =7.4, =8.0, =6.4, =7.3, =7.4, =8.0, <8.0.5 - Patched versions: 5.4.51, 6.4.33, 7.3.11, 7.4.5, 8.0.5 Vulnerability Description The Symfony Process component fails to properly handle certain special characters (such as ) on Windows, leading to argument escaping issues. When PHP is executed from the MSYS2 environment and Symfony Process invokes native Windows executables, MSYS2’s argument/path conversion may incorrectly process unquoted arguments containing these characters. This can result in the generated process receiving corrupted or truncated arguments that differ from what Symfony intended. Impact Applications or tools (such as Composer scripts) that use Symfony Process to invoke file management commands (e.g., , ) and pass path arguments containing may have those arguments modified at runtime by the MSYS2 conversion layer. In affected setups, this could lead to operations being executed on unintended paths, including the deletion of entire directories or drive contents. Solution Upgrade to Symfony versions that include fix #63164 (updated Windows argument escaping to ensure arguments containing and other MSYS2-sensitive characters are properly quoted/escaped). The patch for the 5.4 branch is available at ec154f6. Mitigation/Alternatives Avoid running PHP/tools from the MSYS2 environment on Windows; instead, use cmd.exe or PowerShell for workflows involving native executable execution. Avoid passing paths containing to Symfony Process when running under Git Bash/MSYS2. If applicable, configure MSYS2 to disable or restrict argument conversion (e.g., via ), noting that this may affect the behavior of other tools.

Goal Reached Thanks to every supporter — we hit 100%!

Symfony Process Windows Argument Escaping Vulnerability Leading to Destructive File Operations

More from this source