Can you explain this vulnerability to me?

This vulnerability affects the Symfony Process component on Windows when PHP is run from an MSYS2-based environment like Git Bash. The component did not correctly treat certain characters (notably '=') as special when escaping arguments. As a result, MSYS2's argument/path conversion can corrupt or truncate arguments passed to native Windows executables, causing the spawned process to receive altered arguments. This can lead to unintended operations, such as deleting broader directories than intended if file-management commands are invoked with paths containing '='.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

If you use Symfony Process to spawn native Windows executables from an MSYS2-based shell and pass arguments containing '=' or similar characters, the arguments may be corrupted or truncated. This can cause commands like file deletions to operate on unintended paths, potentially deleting more data than intended. The risk is higher if untrusted input influences these arguments, leading to possible data loss or unintended system modifications.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, avoid running PHP or your own tooling from MSYS2-based shells on Windows; instead, use cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing '=' or similar MSYS2-sensitive characters to Symfony Process when operating under Git Bash/MSYS2. Additionally, where applicable, configure MSYS2 to disable or restrict argument conversion by setting the MSYS2_ARG_CONV_EXCL environment variable, understanding this may affect other tooling behavior. Also, update Symfony Process component to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, or 8.0.5 which contain patches for this issue.

Useful 0 Not Useful 0