Cross-site request forgery in Symfony - CVE-2022-23601
Published: January 29, 2022 / Updated: May 21, 2026
Symfony
Detailed vulnerability description
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to improper access control in the FrameworkBundle form CSRF protection mechanism when processing forms without explicitly enabled CSRF protection. A remote attacker can cause the victim's browser to submit a crafted request to perform cross-site request forgery attacks.
The issue occurs when the application relies on the default configuration behavior and does not explicitly enable CSRF protection for forms.