{"id":"CVE-2020-5255","details":"In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.","aliases":["BIT-symfony-2020-5255","GHSA-mcx4-f5f5-4859"],"modified":"2026-04-12T00:01:33.292971Z","published":"2020-03-30T20:15:19.570Z","related":["GHSA-mcx4-f5f5-4859"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/"},{"type":"ADVISORY","url":"https://github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859"},{"type":"ADVISORY","url":"https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header"},{"type":"FIX","url":"https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"625a4dbfdafcb8cea8ff90a62b9c24b28694938d"},{"fixed":"0889df1e88559968eb291c938d25b96e252f7bed"},{"introduced":"ea815ba986fe3be54acb5a47b0dc8760cf54e31d"},{"fixed":"93313a03cfdb3b9c994ae8e414267efcc010262d"},{"fixed":"dca343442e6a954f96a2609e7b4e9c21ed6d74e6"}],"database_specific":{"extracted_events":[{"introduced":"4.4.0"},{"fixed":"4.4.7"},{"introduced":"5.0.0"},{"fixed":"5.0.7"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"}}],"versions":["v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.4.4","v4.4.5","v4.4.6","v5.0.0","v5.0.1","v5.0.2","v5.0.3","v5.0.4","v5.0.5","v5.0.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-5255.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}]}