CVE-2026-46644: Insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels. Source: https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labels
Idn::process() fails a UTS #46 validity check and accepts invalid xn-- labels that native ext-intl rejects, so unequal domains can be treated as equal, enabling blacklist bypass, inconsistent URL parsing and potential SSRF. symfony/polyfill-intl-idn is a transitive dependency across the Laravel/Symfony stack, so our apps are exposed.
- Affected:
symfony/polyfill-intl-idn1.17.1 up to (but not including) 1.38.1 - Patched: 1.38.1
- Fix: run
composer update symfony/polyfill-intl-idn(to 1.38.1+) on all nodes, then redeploy. - Nodes: production web (prod-web1, prod-web2) + staging + worker/queue.
- Verify:
composer show symfony/polyfill-intl-idnreports 1.38.1 or newer.
composer update on all nodes - patch CVE-2026-46644 (symfony/polyfill-intl-idn)
Assigned to
Tags
-
Jonathan Gustafsson moved item to board Awaiting Review
1 month ago -
Jonathan Gustafsson moved item to board Backlog
1 month ago -
Jonathan Gustafsson moved item to project Bugs
1 month ago -
Jonathan Gustafsson created the item
1 month ago