Jonathan Gustafsson
Awaiting Review

CVE-2026-46644: Insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels. Source: https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labels

Idn::process() fails a UTS #46 validity check and accepts invalid xn-- labels that native ext-intl rejects, so unequal domains can be treated as equal, enabling blacklist bypass, inconsistent URL parsing and potential SSRF. symfony/polyfill-intl-idn is a transitive dependency across the Laravel/Symfony stack, so our apps are exposed.

  • Affected: symfony/polyfill-intl-idn 1.17.1 up to (but not including) 1.38.1
  • Patched: 1.38.1
  • Fix: run composer update symfony/polyfill-intl-idn (to 1.38.1+) on all nodes, then redeploy.
  • Nodes: production web (prod-web1, prod-web2) + staging + worker/queue.
  • Verify: composer show symfony/polyfill-intl-idn reports 1.38.1 or newer.

composer update on all nodes - patch CVE-2026-46644 (symfony/polyfill-intl-idn)

no votes yet
Priority P1
Effort Medium

Assigned to

Yaroslav Yaroslav

Tags

Security
Quick Actions
Activity
View recent activity and updates
Use arrow keys to navigate