Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
Symfony\Bridge\Monolog\Command\ServerLogCommand (the server:log console command) is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP object-deserialization sink: The listener binds to 0.0.0.0:9911 by default; it accepts connections on every interface, not only loopback. Each received frame is processed as unserialize(base64_decode($message)) without an allowed_classes allowlist, without authentication, and without any integrity …