GHSA-4jp3-q2qm-9fmw
MEDIUMImproper Restriction of Rendered UI Layers or Frames in Sylius
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
sylius/sylius🐘sylius/sylius🐘sylius/syliusReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker
Patches
The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.
Workarounds
Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that you just need to add a new subscriber in your app.
<?php
// src/EventListener/XFrameOptionsSubscriber.php
namespace App\EventListener
final class XFrameOptionsSubscriber implements EventSubscriberInterface
{
public static function getSubscribedEvents(): array
{
return [
KernelEvents::RESPONSE => 'onKernelResponse',
];
}
public function onKernelResponse(ResponseEvent $event): void
{
if (!$this->isMainRequest($event)) {
return;
}
$response = $event->getResponse();
$response->headers->set('X-Frame-Options', 'sameorigin');
}
private function isMainRequest(ResponseEvent $event): bool
{
if (\method_exists($event, 'isMainRequest')) {
return $event->isMainRequest();
}
return $event->isMasterRequest();
}
}
And register it in the container:
# config/services.yaml
services:
# ...
App\EventListener\XFrameOptionsSubscriber:
tags: ['kernel.event_subscriber']
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | sylius/sylius | all versions | 1.9.10 |
| 🐘Packagist | sylius/sylius | ≥ 1.10.0&&< 1.10.11 | 1.10.11 |
| 🐘Packagist | sylius/sylius | ≥ 1.11.0&&< 1.11.2 | 1.11.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for sylius/sylius. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update sylius/sylius to 1.9.10 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4jp3-q2qm-9fmw is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4jp3-q2qm-9fmw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4jp3-q2qm-9fmw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4jp3-q2qm-9fmw in your dependencies?
O3 detects GHSA-4jp3-q2qm-9fmw across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.