EXECUTIVE SUMMARY:
CVE-2026-55878 with a CVSS score of 7.8 is a path‑traversal flaw in the symfony ux-toolkit Composer package that affects versions >= 2.32.0 < 2.36.1 and >= 3.0.0 < 3.2.0; the vulnerability resides in the ux:install console command which processes a recipe’s copy‑files map using only Path::isRelative() to validate paths. Because Path::isRelative() returns true for strings, the subsequent Path::join() resolves the “..” segments and allows the final destination to escape the intended recipe directory, enabling an attacker who can supply a crafted or compromised recipe kit to write arbitrary files to any location on the developer’s workstation or CI runner and read arbitrary files outside the recipe tree. Exploitation requires the attacker to have the ux:install command executed—during automated builds or developer setup—and sufficient filesystem permissions to create or overwrite files; the attack vector is a malicious recipe manifest delivered via a compromised package repository or insider. Successful exploitation grants the attacker the ability to overwrite configuration files, git hooks, or application code, leading to remote code execution, credential exposure, and supply‑chain compromise that can disrupt services, damage reputation, and incur compliance penalties. The exploit also depends on the installer running in non‑interactive mode or with the --force option, which suppresses prompts and enables silent overwrites.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55878 with a CVSS score of 7.8 is a path‑traversal flaw in the symfony ux-toolkit Composer package that affects versions >= 2.32.0 < 2.36.1 and >= 3.0.0 < 3.2.0; the vulnerability resides in the ux:install console command which processes a recipe’s copy‑files map using only Path::isRelative() to validate paths. Because Path::isRelative() returns true for strings, the subsequent Path::join() resolves the “..” segments and allows the final destination to escape the intended recipe directory, enabling an attacker who can supply a crafted or compromised recipe kit to write arbitrary files to any location on the developer’s workstation or CI runner and read arbitrary files outside the recipe tree. Exploitation requires the attacker to have the ux:install command executed—during automated builds or developer setup—and sufficient filesystem permissions to create or overwrite files; the attack vector is a malicious recipe manifest delivered via a compromised package repository or insider. Successful exploitation grants the attacker the ability to overwrite configuration files, git hooks, or application code, leading to remote code execution, credential exposure, and supply‑chain compromise that can disrupt services, damage reputation, and incur compliance penalties. The exploit also depends on the installer running in non‑interactive mode or with the --force option, which suppresses prompts and enables silent overwrites.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-p9xj-fpr2-jf2q