CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Reedy
	Jan 28 2026, 9:43 PM

Description

21:41:25     - Root composer.json requires symfony/process 6.4.31 (exact version match: 6.4.31 or 6.4.31.0), found symfony/process[v6.4.31] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-rkkf-636k-qjb3") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

https://github.com/advisories/GHSA-r39x-jcww-82v6

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Upgrade symfony/*	mediawiki/vendor	master	+139 -134
Upgrade symfony/*	mediawiki/vendor	wmf/1.46.0-wmf.13	+139 -134
Upgrade symfony/*	mediawiki/vendor	wmf/1.46.0-wmf.12	+139 -134

Customize query in gerrit

Related Objects

Mentioned In: T416518: Disable Composer 2.9 functionality to randomly block existing configurations from working
Mentioned Here: T411006: Composer 2.9 blocks LibUp js-yaml upgrade on release branch due to vulnerability in firebase/php-jwt
T415723: CI blocked from installing phpunit by CVE-2026-24765

Event Timeline

Reedy created this task.Jan 28 2026, 9:43 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2026, 9:43 PM

Reedy triaged this task as High priority.Jan 28 2026, 9:43 PM

Reedy added a project: ci-test-error (WMF-deployed Build Failure).

Change #1234511 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@master] Upgrade symfony/*

https://gerrit.wikimedia.org/r/1234511

gerritbot added a project: Patch-For-Review.Jan 28 2026, 9:45 PM

Reedy renamed this task from symfony/process security issue to CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows.Jan 28 2026, 9:46 PM

Reedy raised the priority of this task from High to Unbreak Now!.

Reedy updated the task description. (Show Details)

Example CI failure: https://integration.wikimedia.org/ci/job/quibble-vendor-mysql-php83-selenium/14745/console (for https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/1234430)

Previous Composer automatic-security-blocking related tasks:

Change #1234516 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@wmf/1.46.0-wmf.12] Upgrade symfony/*

https://gerrit.wikimedia.org/r/1234516

Change #1234517 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@wmf/1.46.0-wmf.13] Upgrade symfony/*

https://gerrit.wikimedia.org/r/1234517

Per https://libup.wmcloud.org/library/composer/symfony/process it looks like we're done once those three land?

Change #1234516 merged by jenkins-bot:

[mediawiki/vendor@wmf/1.46.0-wmf.12] Upgrade symfony/*

https://gerrit.wikimedia.org/r/1234516

Change #1234517 merged by jenkins-bot:

[mediawiki/vendor@wmf/1.46.0-wmf.13] Upgrade symfony/*

https://gerrit.wikimedia.org/r/1234517

Mentioned in SAL (#wikimedia-operations) [2026-01-28T22:16:17Z] <brennen@deploy2002> Started scap sync-world: Backport for [[gerrit:1234517|Upgrade symfony/* (T415834)]], [[gerrit:1234516|Upgrade symfony/* (T415834)]]

Mentioned in SAL (#wikimedia-operations) [2026-01-28T22:20:24Z] <brennen@deploy2002> brennen, reedy: Backport for [[gerrit:1234517|Upgrade symfony/* (T415834)]], [[gerrit:1234516|Upgrade symfony/* (T415834)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Change #1234511 merged by jenkins-bot:

[mediawiki/vendor@master] Upgrade symfony/*

https://gerrit.wikimedia.org/r/1234511

Mentioned in SAL (#wikimedia-operations) [2026-01-28T22:28:31Z] <brennen@deploy2002> Finished scap sync-world: Backport for [[gerrit:1234517|Upgrade symfony/* (T415834)]], [[gerrit:1234516|Upgrade symfony/* (T415834)]] (duration: 12m 15s)

Maintenance_bot removed a project: Patch-For-Review.Jan 28 2026, 10:31 PM

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.14; 2026-02-03).Jan 28 2026, 11:00 PM

Zabe closed this task as Resolved.Jan 29 2026, 12:17 AM

Zabe assigned this task to Reedy.

taavi mentioned this in T416518: Disable Composer 2.9 functionality to randomly block existing configurations from working.Feb 4 2026, 7:58 PM

CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on WindowsClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
Closed, ResolvedPublic
Actions