Problem/Motivation

composer audit:

+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/process                                                                  |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-rkkf-636k-qjb3                                                              |
| CVE               | CVE-2026-24739                                                                   |
| Title             | Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to           |
|                   | destructive file operations on Windows                                           |
| URL               | https://github.com/advisories/GHSA-r39x-jcww-82v6                                |
| Affected versions | >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51                    |
| Reported at       | 2026-01-28T21:28:10+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Let's update the constraint.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3571196

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

catch created an issue. See original summary.

longwave made their first commit to this issue’s fork.

longwave’s picture

Status: Active » Needs review

Opened fixes for 11.x, 11.3.x and 10.6.x; we don't have any releases from main and that can wait for #3570077: Update to Symfony 8

cilefen’s picture

Title: Update symfony/process constaint » Update symfony/process constraint
larowlan’s picture

Status: Needs review » Reviewed & tested by the community

Looks good to me

catch’s picture

Version: main » 10.6.x-dev
Status: Reviewed & tested by the community » Fixed

Committed/pushed the respective MRs to 11.x, 11.3.x, and 10.6.x, thanks!. Agreed main can wait for the Symfony 8 update.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

  • catch committed 1bf47dca on 11.3.x
    task: #3571196 Update symfony/process constraint
    
    By: catch
    By: longwave
    

  • catch committed d05b44b3 on 10.6.x
    task: #3571196 Update symfony/process constraint
    
    By: catch
    By: longwave
    

  • catch committed 3d6327e7 on 11.x
    task: #3571196 Update symfony/process constraint
    
    By: catch
    By: longwave
    

  • catch committed 9acca904 on 11.3.x
    Reapply "task: #3571196 Update symfony/process constraint"
    
    This reverts...

  • catch committed 43ec4c8a on 11.3.x
    Revert "task: #3571196 Update symfony/process constraint"
    
    This reverts...

  • catch committed b6e7550e on 10.6.x
    Reapply "task: #3571196 Update symfony/process constraint"
    
    This reverts...

  • catch committed 04602e9d on 10.6.x
    Revert "task: #3571196 Update symfony/process constraint"
    
    This reverts...
catch’s picture

Reverted and recommitted here on top of #3570133: PHPUnit security update to avoid commit conflicts. No actual change in the diff, just the order of commits meant both could go in without having to rebase either of the MRs.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.