Fix CVE-2022-24894 in Symfony HIGH

Fix CVE-2022-24894 (response caching of private data) in Symfony for PHP. Paste your composer.json into PackageFix and get a patched version back — no CLI, no signup.

⚠ Vulnerability

CVE-2022-24894 — response caching of private data in Symfony. Update to ^7.0 or later.

Vulnerable Version — composer.json

"symfony/http-foundation": "^5.0"

Fixed Version — composer.json

"symfony/http-foundation": "^7.0"

✓ Fix

Update to ^7.0 and run composer install to apply the fix.

Scan your dependencies now — paste your manifest, get a fixed version back in seconds.

Open PackageFix →

No signup · No CLI · No GitHub connection · Runs 100% in your browser

Frequently Asked Questions

What is CVE-2022-24894?

CVE-2022-24894 is a vulnerability in Symfony that allows response caching of private data. Update to version ^7.0 or later to fix it.

Is CVE-2022-24894 on the CISA KEV catalog?

Check the live CISA KEV catalog at packagefix.dev — the catalog updates daily and PackageFix always reflects the current status.

How do I fix CVE-2022-24894 in Symfony?

Update Symfony to version ^7.0 or later in your composer.json. Run composer install after updating.

Does CVE-2022-24894 affect all versions of Symfony?

Check the OSV advisory for the exact affected version range. PackageFix shows the minimum safe version for your installed version.