Symfony Polyfill backports PHP features and provides compatibility layers for extensions and functions. From 1.17.1 until 1.38.1, symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload is empty or decodes to ASCII-only code points because Idn::process() does not enforce the UTS #46 revision 33 requirement that decoded ACE labels contain at least one non-ASCII code point. Originally unequal domain names can be regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing, and server-side request forgery in applications using the polyfill to canonicalise or compare hostnames. This issue is fixed in version 1.38.1.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-2xf4-cg6j-vhgq | symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 14 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Symfony Polyfill backports PHP features and provides compatibility layers for extensions and functions. From 1.17.1 until 1.38.1, symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload is empty or decodes to ASCII-only code points because Idn::process() does not enforce the UTS #46 revision 33 requirement that decoded ACE labels contain at least one non-ASCII code point. Originally unequal domain names can be regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing, and server-side request forgery in applications using the polyfill to canonicalise or compare hostnames. This issue is fixed in version 1.38.1. | |
| Title | symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence | |
| Weaknesses | CWE-1289 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T20:48:31.771Z
Reserved: 2026-05-15T20:11:54.584Z
Link: CVE-2026-46644
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Github GHSA