Update dependency symfony/dom-crawler to ^7.4.12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/dom-crawler (source)	^7.2 → ^7.4.12

---

Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true

CVE-2026-45071 / GHSA-x6g4-fwcc-jj8w

More information

Details

Description

symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit's HttpBrowser uses it to parse fetched pages.

Crawler::addXmlContent() sets DOMDocument::$validateOnParse = true before calling loadXML(). Setting validateOnParse re-enables libxml's DTD subset processing, including external entity resolution, even though LIBXML_NONET is passed. LIBXML_NONET blocks network fetches but not file:// entities. An attacker-supplied XML document with a SYSTEM "file:///etc/passwd" entity is therefore expanded.

Resolution

The Crawler::addXmlContent method does not set the validateOnParse flag anymore.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Severity

• CVSS Score: 1.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w
• https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml
• https://symfony.com/cve-2026-45071
• https://github.com/advisories/GHSA-x6g4-fwcc-jj8w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

symfony/dom-crawler (symfony/dom-crawler)

v7.4.12

Compare Source

Changelog (symfony/dom-crawler@v7.4.1...v7.4.12)

• bug #​64258 Fix ChoiceFormField::addChoice() clobbering values on multi-selects (@​nicolas-grekas)
• security #cve-2026-45071 Fix XXE in addXmlContent() by not enabling validateOnParse (@​alexandre-daubois)

v7.4.8

Compare Source

Changelog (symfony/dom-crawler@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Compare Source

Changelog (symfony/dom-crawler@v7.4.5...v7.4.6)

• no significant changes

v7.4.4

Compare Source

Changelog (symfony/dom-crawler@v7.4.3...v7.4.4)

• no significant changes

v7.4.1

Compare Source

Changelog (symfony/dom-crawler@v7.4.0...v7.4.1)

• bug symfony/symfony#62671 [DomCrawler] Fixing dealing with invalid charset (@​ThomasLandauer)

v7.4.0

Compare Source

Changelog (symfony/dom-crawler@v7.4.0-RC3...v7.4.0)

• no significant changes

v7.3.10

Compare Source

Changelog (symfony/dom-crawler@v7.3.9...v7.3.10)

• no significant changes

v7.3.3

Compare Source

Changelog (symfony/dom-crawler@v7.3.2...v7.3.3)

• no significant changes

v7.3.1

Compare Source

Changelog (symfony/dom-crawler@v7.3.0...v7.3.1)

• bug symfony/symfony#60781 [DomCrawler] Allow selecting buttons by their value (@​MatTheCat)

v7.3.0

Compare Source

Changelog (symfony/dom-crawler@v7.3.0-RC1...v7.3.0)

• no significant changes

v7.2.8

Compare Source

Changelog (symfony/dom-crawler@v7.2.7...v7.2.8)

• bug symfony/symfony#60781 [DomCrawler] Allow selecting buttons by their value (@​MatTheCat)

v7.2.4

Compare Source

Changelog (symfony/dom-crawler@v7.2.3...v7.2.4)

• bug symfony/symfony#59779 [DomCrawler] Bug #​43921 Check for null parent nodes in the case of orphaned branches (@​ttk)

v7.2.3

Compare Source

Changelog (symfony/dom-crawler@v7.2.2...v7.2.3)

• bug symfony/symfony#59399 [DomCrawler] Make ChoiceFormField::isDisabled return true for unchecked disabled checkboxes (@​MatTheCat)

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Read more information about the use of Renovate Bot.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update symfony/dom-crawler:7.4.12 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - phpunit/php-code-coverage is locked to version 11.0.8 and an update of this package was not requested.
    - phpunit/php-code-coverage 11.0.8 requires php >=8.2 -> your php version (8.1.99; overridden via config.platform, actual: 8.1.34) does not satisfy that requirement.
  Problem 2
    - phpunit/phpunit is locked to version 11.5.2 and an update of this package was not requested.
    - phpunit/phpunit 11.5.2 requires php >=8.2 -> your php version (8.1.99; overridden via config.platform, actual: 8.1.34) does not satisfy that requirement.
  Problem 3
    - symfony/css-selector is locked to version v7.2.0 and an update of this package was not requested.
    - symfony/css-selector v7.2.0 requires php >=8.2 -> your php version (8.1.99; overridden via config.platform, actual: 8.1.34) does not satisfy that requirement.
  Problem 4
    - Root composer.json requires symfony/dom-crawler ^7.4.12 -> satisfiable by symfony/dom-crawler[v7.4.12].
    - symfony/dom-crawler v7.4.12 requires php >=8.2 -> your php version (8.1.99; overridden via config.platform, actual: 8.1.34) does not satisfy that requirement.
  Problem 5
    - axleus/axleus-core is locked to version dev-master and an update of this package was not requested.
    - axleus/axleus-core dev-master requires mimmi20/mezzio-navigation-laminasviewrenderer ^4.0.0 || ^5.0.0 -> satisfiable by mimmi20/mezzio-navigation-laminasviewrenderer[5.0.2].
    - mimmi20/mezzio-navigation-laminasviewrenderer 5.0.2 requires php ~8.3.0 || ~8.4.0 || ~8.5.0 -> your php version (8.1.99; overridden via config.platform, actual: 8.1.34) does not satisfy that requirement.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.