DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24739: The Equalizer: How a Single Character Deleted Your Drive

#security #cve #cybersecurity

The Equalizer: How a Single Character Deleted Your Drive

Vulnerability ID: CVE-2026-24739
CVSS Score: 6.3
Published: 2026-01-28

A critical argument injection vulnerability in the Symfony Process component allows for destructive file operations when running on Windows under MSYS2/Git Bash environments. Due to improper escaping of the equals sign (=), the MSYS2 'Magic Path Conversion' layer misinterprets file paths, potentially truncating arguments and causing commands like 'rmdir' to execute on parent directories or drive roots.

TL;DR

Symfony forgot to quote the '=' character on Windows. If you run PHP scripts in Git Bash and use Symfony Process to handle paths with '=', MSYS2 mangles the path. In the worst case, a command meant to delete a sub-folder deletes your entire drive instead.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-88
  • CVSS v3.1: 6.3 (Medium)
  • Attack Vector: Local (Context Dependent)
  • Impact: High Integrity / High Availability
  • Platform: Windows (MSYS2/Git Bash)
  • Bug Class: Argument Injection / Improper Escaping

Affected Systems

  • Symfony Framework < 5.4.51
  • Symfony Framework 6.4.x < 6.4.33
  • Symfony Framework 7.3.x < 7.3.11
  • Symfony Framework 7.4.x < 7.4.5
  • Composer (running on Windows via Git Bash)
  • PHP Applications using Symfony Process on Windows
  • Symfony: < 5.4.51 (Fixed in: 5.4.51)
  • Symfony: >= 6.4.0, < 6.4.33 (Fixed in: 6.4.33)
  • Symfony: >= 7.3.0, < 7.3.11 (Fixed in: 7.3.11)
  • Symfony: >= 7.4.0, < 7.4.5 (Fixed in: 7.4.5)
  • Symfony: >= 8.0.0, < 8.0.5 (Fixed in: 8.0.5)

Code Analysis

Commit: ec154f6

Expand the list of characters triggering argument quoting in Windows

--- a/src/Symfony/Component/Process/Process.php
+++ b/src/Symfony/Component/Process/Process.php
-        if (!preg_match('/[()%!^"<>&|\s]/', $argument)) {
+        if (!preg_match('/[()%!^"<>&|\s[\]=;*?\'\$]/', $argument)) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Reproduction via creating directory with '=' and invoking Process::run()

Mitigation Strategies

  • Mandatory Framework Update: Upgrade Symfony components immediately.
  • Environment Hardening: Avoid using MSYS2/Git Bash for high-privilege cleanup scripts on Windows.
  • Defensive Coding: Ensure application-level input validation rejects file paths with unusual characters like '=' before they reach the Process component.

Remediation Steps:

  1. Run composer update symfony/process to pull the latest patched versions.
  2. Verify the installed version is >= 5.4.51, 6.4.33, 7.3.11, 7.4.5, or 8.0.5.
  3. Audit custom scripts invoking Symfony\Component\Process\Process for arguments constructed from user input.
  4. If updating is impossible, wrap all arguments in manual quotes before passing them to the Process array (though this effectively double-quotes them after the patch).

References

Read the full report for CVE-2026-24739 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)