CVE-2018-11406: CSRF Token Fixation

Written by Symfony blog - - Aggregated on Friday May 25, 2018

Affected versions

Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue.

The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fixed before its final release.

Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.


By default, a user’s session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens where not erased during logout which allowed for CSRF token fixation.


We fixed this issue by clearing all CSRF tokens when the user is logged out.


I would like to thank Kévin Liagre for reporting this security issue, Christian Flothmann for working on a fix, and the Symfony Core Team for reviewing the patch.

Be trained by Symfony experts - 2018-05-30 Paris - 2018-06-4 Clichy - 2018-06-4 Clichy

« CVE-2018-11385: Session Fixation Issue … - Symfony blog

Symfony blog - CVE-2018-11408: Open redirect vulnerabi… »