CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
(updated )
The Symfony Process component did not correctly treat some characters (notably =) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters.
This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended.
References
- github.com/advisories/GHSA-r39x-jcww-82v6
- github.com/symfony/symfony
- github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3
- github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b
- github.com/symfony/symfony/issues/62921
- github.com/symfony/symfony/pull/63164
- github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6
- nvd.nist.gov/vuln/detail/CVE-2026-24739
Code Behaviors & Features
Detect and mitigate CVE-2026-24739 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →