Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.
Published: 2026-01-28
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local destructive file deletion
Action: Patch Immediately
AI Analysis

Impact

Symfony’s Process component incorrectly escaped certain characters, particularly '=', when generating command-line arguments for native Windows executables in MSYS2‑based environments such as Git Bash. The mis‑escaping caused the spawned process to receive truncated or altered arguments, which could lead to the execution of file‑management commands like rmdir or del on unintended target paths. The outcome is the deletion of data from a broader directory or even an entire drive, representing a severe local destructive file operation.

Affected Systems

The issue affects Symfony versions prior to 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5. Any application or tooling—such as Composer scripts—that relies on Symfony’s Process component to run Windows executables while operating in an MSYS2 or Git Bash shell on Windows is vulnerable. The affected component is included in the Symfony PHP framework, which is widely used for both web and console PHP applications.

Risk and Exploitability

The risk is primarily local; an attacker must be able to run PHP in an MSYS2‑based shell on the target Windows machine and influence the arguments passed to Symfony Process. Because the exploitation relies on untrusted input in a local context, organizations that run Symfony applications from MSYS2 shells or allow dynamic path construction should treat the vulnerability seriously and apply the recommended patches and workarounds promptly. The EPSS score of <1% indicates a very low exploitation probability in the wild, and the vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Symfony to version 5.4.51, 6.4.33, 7.3.11, 7.4.5, or 8.0.5 or newer, which includes the missing argument‑escaping fix.
  • Do not execute PHP or any Symfony‑based tooling from Git Bash or any MSYS2‑based shell on Windows; use cmd.exe or PowerShell instead.
  • Avoid passing paths that contain ‘=’ (or other MSYS2‑sensitive characters) to Symfony Process when operating under Git Bash/MSYS2.

Generated by OpenCVE AI on April 18, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r39x-jcww-82v6 Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
History

Mon, 02 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Sensiolabs
Sensiolabs symfony
CPEs cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Vendors & Products Sensiolabs
Sensiolabs symfony

Fri, 30 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Symfony
Symfony symfony
Vendors & Products Symfony
Symfony symfony

Wed, 28 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.
Title Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Sensiolabs Symfony
Symfony Symfony
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T18:01:36.510Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24739

cve-icon Vulnrichment

Updated: 2026-01-29T16:03:55.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T21:16:11.750

Modified: 2026-02-02T14:24:27.267

Link: CVE-2026-24739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses