CVE-2021-41270

Name: CVE-2021-41270
Creator: NVD / NIST
Published: 2021-11-24T19:15:07.887+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 1.35%

Last modified Jun 17, 2026

CVE-2021-41270 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. EPSS estimates a 1.35% chance of exploitation in the next 30 days.

Description

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.35%

68.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-1236

Affected Software

Vendor	Product	Versions
Sensiolabs	Symfony	>= 4.1.0, < 4.4.35
Sensiolabs	Symfony	>= 5.0.0, < 5.3.12
Fedoraproject	Fedora	34
Fedoraproject	Fedora	35

References

https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8Patch, Third Party Advisory
https://github.com/symfony/symfony/pull/44243Patch, Third Party Advisory
https://github.com/symfony/symfony/releases/tag/v5.3.12Release Notes, Third Party Advisory
https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95xPatch, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/
https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8Patch, Third Party Advisory
https://github.com/symfony/symfony/pull/44243Patch, Third Party Advisory
https://github.com/symfony/symfony/releases/tag/v5.3.12Release Notes, Third Party Advisory
https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95xPatch, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/

Timeline

Published: Nov 24, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-41270?

How severe is CVE-2021-41270?

CVE-2021-41270 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.35% probability of exploitation in the next 30 days.

How do I fix CVE-2021-41270?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-41270?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST