chore(deps): Update dependency symfony/cache to v8.0.12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
symfony/cache (source)	8.0.10 → 8.0.12

---

Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

CVE-2026-45073 / GHSA-6qh9-h6wf-jgqc

More information

Details

Description

Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear($prefix) method (inherited from AbstractAdapterTrait) is documented to delete cache items whose key starts with $prefix.

In the non-versioning code path, the caller-supplied $prefix is concatenated into $namespace = $this->namespace.$prefix and passed to PdoAdapter::doClear(), which builds:

DELETE FROM <table> WHERE <id_col> LIKE '<namespace>%'

The value is interpolated directly into the SQL text and executed with PDO::exec(): $namespace is not bound. A caller able to influence $prefix can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics.

Most applications don't expose clear($prefix) to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself.

Resolution

AbstractAdapterTrait::clear() now rejects any $prefix containing characters outside [-+.A-Za-z0-9]: when an invalid prefix is supplied, the method logs a warning and returns false instead of reaching the SQL layer. This blocks quotes, %, null bytes and other characters that would let an attacker break out of the LIKE literal.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank secsys_codex for reporting the issue and Nicolas Grekas for fixing it.

Severity

• CVSS Score: 5.0 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U

References

• https://github.com/symfony/symfony/security/advisories/GHSA-6qh9-h6wf-jgqc
• https://github.com/symfony/symfony/commit/ec50b799d79ebe24561f29351c1efcb6da95c9b
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2026-45073.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45073.yaml
• https://symfony.com/cve-2026-45073
• https://github.com/advisories/GHSA-6qh9-h6wf-jgqc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

symfony/cache (symfony/cache)

v8.0.12

Compare Source

Changelog (symfony/cache@v8.0.10...v8.0.12)

• security #cve-2026-45073 Validate the prefix given to AbstractAdapter::clear() (@​nicolas-grekas)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (419ab86) to head (014a7d8).

Additional details and impacted files

@@             Coverage Diff             @@
##              master      #303   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity        90        90           
===========================================
  Files              7         7           
  Lines            226       226           
===========================================
  Hits             226       226           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.