2 min. read
Categories: News
Security releases announcement – January 2020
The quality of our software has always been the most important thing for us. Today we published fixes for two security vulnerabilities.

The quality of our software has always been the most important thing for us. Today we published fixes for two security vulnerabilities found in Sylius/Sylius and Sylius/SyliusResourceBundle.

CVE-2020-5218: Ability to switch channels via a GET parameter enabled in production environments

The original security advisory has been published on GitHub at Sylius/Sylius repository.



This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.


Patch has been provided for Sylius 1.3.x and newer – 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.


Unsupported versions could be patched by adding the following configuration to run in production:

    debug: false

CVE-2020-5220: Ability to define unintended serialisation groups via an HTTP header which might lead to data exposure

The original security advisory has been published on GitHub at Sylius/SyliusResourceBundle repository.



ResourceBundle accepts and uses any serialisation groups to be passed via an HTTP header. This might lead to data exposure by using an unintended serialisation group – for example, it could make Shop API use a more permissive group from Admin API.

Anyone exposing an API with ResourceBundle’s controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2.


The patch is provided for ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.

After it is applied, It allows choosing only the groups that are defined in serialization_groups or allowed_serialization_groups route definition. Any group not defined in those will not be used.

This behaviour might be a BC break for those using custom groups via the HTTP header, please adjust allowed_serialization_groups accordingly.


Service sylius.resource_controller.request_configuration_factory can be overridden with an implementation copied from Sylius\Bundle\ResourceBundle\Controller\RequestConfigurationFactory where the part that handles custom serialisation groups is deleted.

Kamil Kokot
Kamil is a self-taught developer, working mostly as a Solution Specialist. Currently focused on empowering development teams by improving Sylius architecture and processes. A tea lover and a minimalist, interested in linguistics and cognitive science.
More from our blog
Cloud 2 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Technical 2 min read 11.06.2024
Abstract 1.12 released in Q4 2022 1.13 on Apr 23rd, 2024 (a year later than we anticipated while releasing 1.12) 3859 commits 23 contributors A stabilized Sylius API powered by API Platform It’s been a long and bumpy road. Having it behind our backs was a highway that led Sylius… Read More
Business Ecosystem News 2 min read 06.06.2024
Welcome to the May summary! As an open-source eCommerce framework, Sylius continues to evolve with significant contributions from our vibrant community and valuable product updates. Apart from describing the technical changes, we will also quickly summarize the Sylius Technical Fundamentals & Sylius Polish Community Meetup and eCommerce Day Kaunas, as… Read More