symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

The Symfony Blog provides updates, tutorials, and insights on Symfony, a popular PHP framework for building web applications. Covering topics such as framework features, best practices, and community updates, the blog offers resources for Symfony developers looking to enhance their skills and stay up-to-date with the latest developments in the Symfony ecosystem. Developers can learn how to leverage Symfony's powerful features and conventions to build robust and maintainable web applications that meet the demands of modern web development.

Symfony

A security vulnerability (CVE-2026-46644) has been disclosed in symfony/polyfill-intl-idn affecting versions >=1.17.1 and <1.38.1. The polyfill's Idn::process() method fails to enforce a UTS #46 validity rule requiring that Punycode-decoded labels contain at least one non-ASCII code point. This allows xn-- labels with empty or ASCII-only payloads to be accepted, while PHP's native ext-intl correctly rejects them. The inconsistency can lead to blacklist bypassing, inconsistent URL parsing, and server-side request forgery (SSRF). The fix, released in version 1.38.1, makes the polyfill record IDNA_ERROR_INVALID_ACE_LABEL in these cases, matching native ext-intl behavior.

CVE-2026-46644: insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels (Symfony Blog)