Listen to this Post
The `ux:install` console command in Symfony’s UX Toolkit installs files from a recipe kit by copying paths listed in a `copy-files` map. Prior to the patch, the only validation performed was Path::isRelative(), which incorrectly returns `true` for malicious paths like ../../../etc. The `Path::join()` function then resolves the `..` segments without any restriction, allowing the final path to escape the intended directory entirely. This means a crafted or compromised kit can write attacker-controlled content to arbitrary locations on the developer’s machine or CI runner.
Because the copy operation automatically creates missing parent directories and can overwrite existing files silently (with `–force` or in non-interactive environments), an attacker who controls a kit can overwrite critical files such as controllers, git hooks, or `.env` to achieve code execution. The source side of `copy-files` is symmetrically affected, enabling local file reads outside the recipe directory. The fix introduces an `Assert::pathDoesNotEscapeDirectory()` helper that rejects any `copy-files` source or destination path containing a `..` segment, regardless of whether `/` or `\` is used as the separator. This check is enforced in both `RecipeManifest` (which also guards the source Finder) and File. As a last line of defense, the installer re-verifies the fully resolved paths with `Path::isBasePath()` immediately before each filesystem read and write.
DailyCVE Form:
Platform: Symfony UX Toolkit
Version: < 2.25.1
Vulnerability: Path Traversal
Severity: Critical
date: 2026-06-19
Prediction: 2026-06-19
What Undercode Say:
Check if your project uses the vulnerable ux-toolkit package
composer show symfony/ux-toolkit
Create a malicious recipe kit with path traversal
echo '{"copy-files": {"source": "../../../etc/passwd", "destination": "evil.txt"}}' > malicious-kit.json
Simulate the vulnerable path resolution
php -r "echo Path::join('/var/www/project', '../../../etc/passwd');"
Output: /var/www/etc/passwd (escapes project root)
The fix: Assert::pathDoesNotEscapeDirectory() validation
php -r "Assert::pathDoesNotEscapeDirectory('../../../etc/passwd');"
Throws exception: Path contains ".." and would escape directory
Exploit:
An attacker can craft a recipe kit with a `copy-files` entry containing `../../../` sequences. When a developer runs `ux:install` with this kit, the framework copies files outside the intended directory. For example, a destination like `../../../.env` overwrites the project’s environment file, while a source like `../../../config/services.yaml` reads sensitive configuration. Combined with --force, the overwrite happens silently, making detection difficult.
Protection:
Upgrade to `symfony/ux-toolkit` >= 2.25.1. If immediate upgrade is not possible, manually review all recipe kits before installation and avoid using untrusted sources. The patch introduces `Assert::pathDoesNotEscapeDirectory()` which blocks any path containing `..` segments, and `Path::isBasePath()` as a final verification before each filesystem operation.
Impact:
Successful exploitation allows arbitrary file write and read outside the project directory. An attacker can overwrite `.env` files to inject malicious environment variables, replace controller files to execute arbitrary PHP code, or modify git hooks to run commands on commit. On CI runners, this can lead to supply chain compromise, credential theft, and persistent backdoors in the development pipeline.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
