Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

When

2026-06-15 17:32 UTC

Where

Global (internet)

Category

cyber_advisory · composer

### Description `Symfony\Component\Mailer\Bridge\Mailomat\Webhook\MailomatRequestParser::validateSignature()` parses the `X-MOM-Webhook-Signature` request header as `algo=signature` and passes the wire-supplied `$algo` directly to `hash_hmac()` when verifying the request against the configured webhook secret. The request therefore selects the HMAC primitive used to authenticate it. PHP's `hash_hmac()` enforces only that the chosen algorithm is HMAC-compatible. That set still includes primitives with known cryptanalysis (`md4`, `md5`, `ripemd128`, `tiger128,3`, … — e.g. existential forgery of HMAC-MD4, Contini & Yin, ASIACRYPT 2006). This is the canonical algorithm-confusion shape, analogous to JWT `alg=none` / `alg=HS256` downgrades: any future cryptographic weakness in any HMAC primitive PHP exposes becomes immediately exploitable against a Mailomat webhook receiver, the moment an attacker is in a position to compute a signature for that primitive, without a code change on the Symfony side. Mailomat's [documented webhook security](https://api.mailomat.swiss/docs/#tag/webhook-security) pins SHA-256; the parser did not. ### Resolution `MailomatRequestParser::validateSignature()` now requires the signature header to be of the form `sha256=<hex>` and verifies the signature with HMAC-SHA256 keyed by the configured secret using a constant-time comparison. Any other algorithm declared on the wire (including the HMAC primitives PHP would otherwise accept) is rejected. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/bdfe9fe0d94d33dfaca0bc2fe0b00b54767b0c88) for branch 7.4 (and forward-ported to 8.0 and 8.1). ### Credits Symfony would like to thank Omar Alshammari, Essam Alanazi and Alwaleed Alshammari for reporting the issue and Nicolas Grekas for providing the fix.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-15 17:32 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Uni…
  Shared actorsInvolves composer/symfony/symfony, composer/symfony/symfony· 83% match
• Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compat…
  Shared actorsInvolves composer/symfony/symfony, composer/symfony/symfony· 83% match
• Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated…
  Shared actorsInvolves composer/symfony/symfony, composer/symfony/symfony· 83% match
• Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to acc…
  Shared actorsInvolves composer/symfony/symfony, composer/symfony/symfony· 83% match
• Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes
  Shared actorsInvolves composer/symfony/symfony, composer/symfony/symfony· 83% match

← Back to the live map