GHSA-9ffx-f77r-756w
Sylius has an Open Redirect via Referer Header
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/sylius+1 moreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting.
The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain.
The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat.
Affected classes:
CurrencySwitchController::switchAction()- publicStorageBasedLocaleSwitcher::handle()- public, used in locale switching without having locale in theurlImpersonateUserController::impersonateAction()- admin-only
Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Workarounds
If you cannot update Sylius immediately, copy the affected classes from vendor to your project's src/ directory, apply the fix, and override the service definitions.
Step 1 - CurrencySwitchController
Copy from vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Controller/CurrencySwitchController.php to src/Controller/CurrencySwitchController.php and apply the following changes:
-namespace Sylius\Bundle\ShopBundle\Controller;
+namespace App\Controller;
use Sylius\Component\Channel\Context\ChannelContextInterface;
use Sylius\Component\Core\Currency\CurrencyStorageInterface;
use Sylius\Component\Core\Model\ChannelInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\RouterInterface;
final class CurrencySwitchController
{
public function __construct(
private Environment $templatingEngine, // for 1.x version
private CurrencyStorageInterface $currencyStorage,
private ChannelContextInterface $channelContext,
+ private RouterInterface $router,
) {
}
public function switchAction(Request $request, string $code): Response
{
/** @var ChannelInterface $channel */
$channel = $this->channelContext->getChannel();
$this->currencyStorage->set($channel, $code);
- return new RedirectResponse($request->headers->get('referer', $request->getSchemeAndHttpHost()));
+ return new RedirectResponse($this->router->generate('sylius_shop_homepage'));
}
}
Step 2 - ImpersonateUserController
Copy from vendor/sylius/sylius/src/Sylius/Bundle/AdminBundle/Controller/ImpersonateUserController.php to src/Controller/Admin/ImpersonateUserController.php and apply the following changes:
-namespace Sylius\Bundle\AdminBundle\Controller;
+namespace App\Controller\Admin;
// ... (keep all existing use statements)
public function impersonateAction(Request $request, string $username): Response
{
// ... (keep authorization check and impersonation logic)
$this->addFlash($request, $username);
- $redirectUrl = $request->headers->get(
- 'referer',
+ return new RedirectResponse(
$this->router->generate('sylius_admin_customer_show', ['id' => $user->getId()])
);
-
- return new RedirectResponse($redirectUrl);
}
Step 3 - StorageBasedLocaleSwitcher (only if you use locale_switcher: storage)
Note: Skip this step if you use the default
locale_switcher: urlmode.
Copy from vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Locale/StorageBasedLocaleSwitcher.php to src/Locale/StorageBasedLocaleSwitcher.php and apply the following changes:
For Sylius 1.9 – 2.1.2:
-namespace Sylius\Bundle\ShopBundle\Locale;
+namespace App\Locale;
use Sylius\Bundle\ShopBundle\Locale\LocaleSwitcherInterface;
use Sylius\Component\Channel\Context\ChannelContextInterface;
use Sylius\Component\Core\Locale\LocaleStorageInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\RouterInterface;
final class StorageBasedLocaleSwitcher implements LocaleSwitcherInterface
{
public function __construct(
private LocaleStorageInterface $localeStorage,
private ChannelContextInterface $channelContext,
+ private RouterInterface $router,
) {
}
public function handle(Request $request, string $localeCode): RedirectResponse
{
$this->localeStorage->set($this->channelContext->getChannel(), $localeCode);
- return new RedirectResponse($request->headers->get('referer', $request->getSchemeAndHttpHost()));
+ return new RedirectResponse($this->router->generate('sylius_shop_homepage'));
}
}
For Sylius 2.1.3 and later:
In Sylius 2.1.3 the class was refactored to use
UrlMatcherInterface. While this adds partial validation, it still passes the full referer URL toRedirectResponse, so the open redirect remains exploitable.
-namespace Sylius\Bundle\ShopBundle\Locale;
+namespace App\Locale;
use Sylius\Bundle\ShopBundle\Locale\LocaleSwitcherInterface;
use Sylius\Component\Channel\Context\ChannelContextInterface;
use Sylius\Component\Core\Locale\LocaleStorageInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\Routing\Exception\ResourceNotFoundException;
-use Symfony\Component\Routing\Matcher\UrlMatcherInterface;
+use Symfony\Component\Routing\RouterInterface;
final class StorageBasedLocaleSwitcher implements LocaleSwitcherInterface
{
public function __construct(
private LocaleStorageInterface $localeStorage,
private ChannelContextInterface $channelContext,
- private ?UrlMatcherInterface $urlMatcher = null,
+ private RouterInterface $router,
) {
- if (null === $this->urlMatcher) {
- trigger_deprecation(
- 'sylius/shop-bundle',
- '2.1',
- 'Not passing a "%s" to "%s" is deprecated and will be required in Sylius 3.0.',
- UrlMatcherInterface::class,
- self::class,
- );
- }
}
public function handle(Request $request, string $localeCode): RedirectResponse
{
$this->localeStorage->set($this->channelContext->getChannel(), $localeCode);
- $url = $request->headers->get('referer', $request->getSchemeAndHttpHost());
-
- if ($this->urlMatcher) {
- try {
- $this->urlMatcher->match($url);
- } catch (ResourceNotFoundException) {
- return new RedirectResponse($request->getSchemeAndHttpHost());
- }
- }
-
- return new RedirectResponse($url);
+ return new RedirectResponse($this->router->generate('sylius_shop_homepage'));
}
}
Step 4 - Override the services
Add to config/services.yaml.
Sylius 1.x (1.9 – 1.14):
services:
# ... your existing services ...
sylius.controller.shop.currency_switch:
class: App\Controller\CurrencySwitchController
public: true
arguments:
$templatingEngine: '@twig'
$currencyStorage: '@sylius.storage.currency'
$channelContext: '@sylius.context.channel'
$router: '@router'
sylius.controller.shop.impersonate_user:
class: App\Controller\Admin\ImpersonateUserController
public: true
arguments:
$impersonator: '@sylius.admin.security.user_impersonator'
$authorizationChecker: '@security.authorization_checker'
$userProvider: '@sylius.admin_user_provider.email_or_name_based'
$router: '@router'
$authorizationRole: 'ROLE_ADMINISTRATION_ACCESS'
# Only if you use locale_switcher: storage
sylius.shop.locale_switcher:
class: App\Locale\StorageBasedLocaleSwitcher
public: false
arguments:
$localeStorage: '@sylius.storage.locale'
$channelContext: '@sylius.context.channel'
$router: '@router'
Sylius 2.x (2.0 – 2.1):
services:
# ... your existing services ...
sylius_shop.controller.currency_switch:
class: App\Controller\CurrencySwitchController
public: true
arguments:
$currencyStorage: '@sylius.storage.currency'
$channelContext: '@sylius.context.channel'
$router: '@router'
sylius_admin.controller.impersonate_user:
class: App\Controller\Admin\ImpersonateUserController
public: true
arguments:
$impersonator: '@sylius_admin.security.shop_user_impersonator'
$authorizationChecker: '@security.authorization_checker'
$userProvider: '@sylius.shop_user_provider.email_or_name_based'
$router: '@router'
$authorizationRole: 'ROLE_ADMINISTRATION_ACCESS'
# Only if you use locale_switcher: storage
sylius_shop.locale_switcher:
class: App\Locale\StorageBasedLocaleSwitcher
public: false
arguments:
$localeStorage: '@sylius.storage.locale'
$channelContext: '@sylius.context.channel'
$router: '@router'
Step 5 - Clear cache
bin/console cache:clear
Customizing the redirect target
If you need a different redirect target, override the route definition with the _sylius.redirect attribute:
# config/routes/sylius_shop.yaml (AFTER the sylius_shop resource import)
sylius_shop_switch_currency:
path: /{_locale}/switch-currency/{code}
methods: [GET]
defaults:
_controller: sylius.controller.shop.currency_switch:switchAction
_sylius:
redirect: sylius_shop_product_index # or any route name
Reporters
We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:
- Bartłomiej Nowiński (@bnBart)
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | sylius/sylius | all versions | 1.9.12 |
| 🐘Packagist | sylius/sylius | ≥ 1.10.0&&< 1.10.16 | 1.10.16 |
| 🐘Packagist | sylius/sylius | ≥ 1.11.0&&< 1.11.17 | 1.11.17 |
| 🐘Packagist | sylius/sylius | ≥ 1.12.0&&< 1.12.23 | 1.12.23 |
| 🐘Packagist | sylius/sylius | ≥ 1.13.0&&< 1.13.15 | 1.13.15 |
| 🐘Packagist | sylius/sylius | ≥ 1.14.0&&< 1.14.18 | 1.14.18 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for sylius/sylius. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update sylius/sylius to 1.9.12 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-9ffx-f77r-756w is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-9ffx-f77r-756w is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-9ffx-f77r-756w. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-9ffx-f77r-756w in your dependencies?
O3 detects GHSA-9ffx-f77r-756w across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.