Symfony 2.3.18, 2.4.8, and 2.5.2 have just been released; they contain a security fix for the Translator class provided by FrameworkBundle (CVE-2014-4931).

The Symfony versions released today also contain a server-side mitigation for a JSONP vulnerability as described in CVE-2014-4671 . You can learn more about this at Abusing JSONP with Rosetta Flash . Also, if you are using NelmioSecurityBundle , disable the content type sniffing for script resources.

We do not provide new versions of Symfony 2.0, 2.1, and 2.2 anymore as they reached their end of life ; if you really need to patch those versions, use the patch for Symfony 2.3.)

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the FrameworkBundle coming from the Symfony full-stack framework are affected by this issue. The translator component by itself is not vulnerable.

When investigating issue #11093, Jeremy Derussé found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle.

Your Symfony application is vulnerable if you meet the following conditions:

You are using the Symfony translation system from FrameworkBundle (so basically if you are using Symfony full-stack -- you are not affected if you are using the Translation component with Silex for instance);

You don't sanitize locales coming from a URL (any route with a _locale argument for instance):

When vulnerable, an attacker can submit a non-valid locale value that can contain some PHP code that will be executed by Symfony. That's because the locale value is dumped into a PHP file generated in the cache without being sanitized first.