update dependency symfony/cache to ~7.4.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/cache (source)	~7.3.9 → ~7.4.0

---

Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

CVE-2026-45073 / GHSA-6qh9-h6wf-jgqc

More information

Details

Description

Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear($prefix) method (inherited from AbstractAdapterTrait) is documented to delete cache items whose key starts with $prefix.

In the non-versioning code path, the caller-supplied $prefix is concatenated into $namespace = $this->namespace.$prefix and passed to PdoAdapter::doClear(), which builds:

DELETE FROM <table> WHERE <id_col> LIKE '<namespace>%'

The value is interpolated directly into the SQL text and executed with PDO::exec(): $namespace is not bound. A caller able to influence $prefix can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics.

Most applications don't expose clear($prefix) to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself.

Resolution

AbstractAdapterTrait::clear() now rejects any $prefix containing characters outside [-+.A-Za-z0-9]: when an invalid prefix is supplied, the method logs a warning and returns false instead of reaching the SQL layer. This blocks quotes, %, null bytes and other characters that would let an attacker break out of the LIKE literal.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank secsys_codex for reporting the issue and Nicolas Grekas for fixing it.

Severity

• CVSS Score: 5.0 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U

References

• https://github.com/symfony/symfony/security/advisories/GHSA-6qh9-h6wf-jgqc
• https://github.com/symfony/symfony/commit/ec50b799d79ebe24561f29351c1efcb6da95c9b
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2026-45073.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45073.yaml
• https://symfony.com/cve-2026-45073
• https://github.com/advisories/GHSA-6qh9-h6wf-jgqc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

symfony/cache (symfony/cache)

v7.4.12

Compare Source

Changelog (symfony/cache@v7.4.10...v7.4.12)

• security #cve-2026-45073 Validate the prefix given to AbstractAdapter::clear() (@​nicolas-grekas)

v7.4.10

Compare Source

Changelog (symfony/cache@v7.4.9...v7.4.10)

• bug #​64122 Ensure compatibility with Relay extension 0.22.0 (@​nicolas-grekas)

v7.4.9

Compare Source

Changelog (symfony/cache@v7.4.8...v7.4.9)

• bug #​64060 Normalize default_lifetime for pools wrapped by ChainAdapter (@​ostrolucky)
• bug #​63964 Ensure internal state is cleared in TagAwareAdapter::reset() … (@​KevinMartinsDev)
• bug #​63860 Fix Psr16Cache::getMultiple() returning wrapper values when using TTL (@​nicolas-grekas)

v7.4.8

Compare Source

Changelog (symfony/cache@v7.4.7...v7.4.8)

• bug #​63818 Ensure compatibility with Relay extension 0.21.0 (@​lyrixx)
• bug #​63747 Fix Psr16Cache::getMultiple() returning ValueWrapper with TagAwareAdapter (@​pcescon)
• bug #​63736 Fix undefined array key when tag save fails in AbstractTagAwareAdapter (@​pcescon)
• bug #​63655 Fix ChainAdapter ignoring item expiry when propagating to earlier adapters (@​guillaumeVDP)

v7.4.7

Compare Source

Changelog (symfony/cache@v7.4.6...v7.4.7)

• bug #​63592 Add timeout and slot eviction to LockRegistry stampede prevention (@​nicolas-grekas)

v7.4.6

Compare Source

Changelog (symfony/cache@v7.4.5...v7.4.6)

• bug #​63437 Wrap DoctrineDbalAdapter::doSave() in savepoint to prevent transaction poisoning (@​lacatoire)
• bug #​63391 Align Redis sentinel auth handling across components (@​nicolas-grekas)
• bug #​63324 Fix DSN auth not passed to Redis/RedisCluster/Relay in RedisTrait (@​ckrack)
• bug #​63306 Revert "Fix DSN auth not passed to clusters in RedisTrait" (@​nicolas-grekas)
• bug #​63272 Fix forwarding SSL settings to the redis sentinel (@​CientistaDaWeb)
• bug #​63230 fix engine declaration on mysql pdo table creations (@​tandev)

v7.4.5

Compare Source

Changelog (symfony/cache@v7.4.4...v7.4.5)

• bug #​63137 Fix PdoSessionHandler charset-collation mismatch with the Doctrine DBAL (@​samy-mahmoudi)

v7.4.4

Compare Source

Changelog (symfony/cache@v7.4.3...v7.4.4)

• bug #​62852 Fix DSN auth not passed to clusters in RedisTrait (@​wikando-ck)

v7.4.3

Compare Source

Changelog (symfony/cache@v7.4.2...v7.4.3)

• bug symfony/symfony#62873 [Cache] Fix namespace of chained pools when using another chain as template (@​nicolas-grekas)
• bug symfony/symfony#62840 [Cache] Fix stampede protection when forcing item recomputation (@​nicolas-grekas)
• bug symfony/symfony#62490 [FrameworkBundle] Fix cache:pool:prune exit code on failure (@​yoeunes)
• bug symfony/symfony#62793 [Cache] Fix calling the callback wrapper for ChainAdapter (@​nicolas-grekas)
• bug symfony/symfony#62799 [Cache][HttpFoundation] Fix VARBINARY columns on sqlsrv (@​nicolas-grekas)

v7.4.1

Compare Source

Changelog (symfony/cache@v7.4.0...v7.4.1)

• bug symfony/symfony#62614 [Cache] Fix NullAdapter must set taggable (@​a.dmitryuk)
• bug symfony/symfony#62602 [Cache] Fix the creation of a redis connection with only ext-relay (@​stof)
• bug symfony/symfony#62543 [Cache] ensure compatibility with RelayCluster 0.20.0 (@​xabbuh)
• bug symfony/symfony#62536 [Cache] ensure compatibility with Relay extension 0.20.0 (@​xabbuh)

v7.4.0

Compare Source

---

Configuration

📅 Schedule: (in timezone Europe/Rome)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update symfony/cache:7.4.12 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Dependency psr/log is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - phpoffice/phpspreadsheet is locked to version 1.30.4 and an update of this package was not requested.
    - phpoffice/phpspreadsheet 1.30.4 requires php >=7.4.0 <8.5.0 -> your php version (8.5.6) does not satisfy that requirement.