[GHSA-cg28-v4wq-whv5] Symfony's VarDumper vulnerable to unsafe deserialization

[jderusse]

Updates

• Affected products
• CVSS v3
• CVSS v4
• Description
• Severity

Comments
Similar to #5046 about GHSA-7q22-x757-cmgc reported by the same user, there is no vulnerability

We just discovered this advisory, and after investigation, we found that this is a false report.
Their is no such vulnerability, and the link to the patch is not related to any vulnerability fix.

Looks like someone created hundred of false CVE https://gist.github.com/1047524396 : all CVE registered in MITR have a backlink to the a gist created by this user

[advisory-database]

Hi @jderusse! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[mhd-fettah]

Thank you so much!

May I ask why a notification is sent to all projects using Symfony, which is a significant number, even before the report is verified? The recommended fix isn't straightforward (e.g., changing the .lock file). Shouldn't the report be thoroughly double-checked before sending out such notifications?

and thanks again for the great work on Symfony , I am enjoying the work with it even before laravel .