2 min. read
Categories: News
Security releases announcement – January 2020
The quality of our software has always been the most important thing for us. Today we published fixes for two security vulnerabilities.

The quality of our software has always been the most important thing for us. Today we published fixes for two security vulnerabilities found in Sylius/Sylius and Sylius/SyliusResourceBundle.

CVE-2020-5218: Ability to switch channels via a GET parameter enabled in production environments

The original security advisory has been published on GitHub at Sylius/Sylius repository.



This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.


Patch has been provided for Sylius 1.3.x and newer – 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.


Unsupported versions could be patched by adding the following configuration to run in production:

    debug: false

CVE-2020-5220: Ability to define unintended serialisation groups via an HTTP header which might lead to data exposure

The original security advisory has been published on GitHub at Sylius/SyliusResourceBundle repository.



ResourceBundle accepts and uses any serialisation groups to be passed via an HTTP header. This might lead to data exposure by using an unintended serialisation group – for example, it could make Shop API use a more permissive group from Admin API.

Anyone exposing an API with ResourceBundle’s controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2.


The patch is provided for ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.

After it is applied, It allows choosing only the groups that are defined in serialization_groups or allowed_serialization_groups route definition. Any group not defined in those will not be used.

This behaviour might be a BC break for those using custom groups via the HTTP header, please adjust allowed_serialization_groups accordingly.


Service sylius.resource_controller.request_configuration_factory can be overridden with an implementation copied from Sylius\Bundle\ResourceBundle\Controller\RequestConfigurationFactory where the part that handles custom serialisation groups is deleted.

Kamil Kokot
Kamil is a self-taught developer, working mostly as a Solution Specialist. Currently focused on empowering development teams by improving Sylius architecture and processes. A tea lover and a minimalist, interested in linguistics and cognitive science.
More from our blog
Business News Technical 2 min read 28.09.2020
Get ready for global sales & operations with the most advanced payment solution from the famous fintech giant, now available in Sylius out of the box. Read More
Business News 2 min read 14.09.2020
We proudly present to you the latest version of the Sylius eCommerce Platform – 1.8, which comes with a brand new, unified API powered by API Platform, Loyalty points system for Sylius Plus, and as you can probably see, a brand new sylius.com website! Numbers This new release is a… Read More
Business Ecosystem News 2 min read 13.08.2020
Read why the French market leader trusted Sylius in a strategic re-platforming process to get a competitive eCommerce advantage. Read More