Affected versions
Symfony versions <5.4.43; >=6, <6.4.11; >=7, <7.1.4 of the Symfony Validator component are affected by this security issue.
The issue has been fixed in Symfony 5.4.43, 6.4.11, and 7.1.4.
Description
It is possible to trick a Validator
configured with a regular expression using the $
metacharacters, with an input ending with \n
.
Resolution
Symfony now uses the D
regex modifier to match the entire input.