🚨 [security] [php] Update symfony/polyfill-intl-idn 1.32.0 → 1.38.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ symfony/polyfill-intl-idn (indirect, 1.32.0 → 1.38.1) · Repo

Security Advisories 🚨

🚨 symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form

Description

symfony/polyfill-intl-idn provides a userland implementation of idn_to_utf8() and idn_to_ascii() for runtimes that lack the intl extension. Its Idn::process() method decodes labels prefixed with xn-- using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point.

As a consequence, xn-- labels whose Punycode payload is empty (xn--) or decodes to a string made of only ASCII code points (e.g. xn--kc1zs4-) are accepted by the polyfill while PHP's native ext-intl rejects them with IDNA_ERROR_INVALID_ACE_LABEL. Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224).

Example with IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII:

Input	Polyfill output	Native ext-intl output
poc.xn--kc1zs4-.com	poc.kc1zs4.com	false (errors=1024)
poc.kc1zs4.xn--	poc.kc1zs4.	false (errors=1024)

Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency.

Resolution

Idn::process() now records IDNA_ERROR_INVALID_ACE_LABEL when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native ext-intl behaviour and UTS #46 revision 33.

The patch for this issue is available here for branch 1.x.

Credits

Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.

Release Notes

1.38.1

Changelog (v1.31.0...v1.38.1)

• security #cve-2026-46644 Reject xn-- labels whose Punycode payload decodes to ASCII-only (@nicolas-grekas)

1.37.0

Changelog (v1.36.0...v1.37.0)

• no significant changes

1.36.0

Changelog (v1.35.0...v1.36.0)

• no significant changes

1.34.0

Changelog (v1.33.0...v1.34.0)

• no significant changes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 1 commit:

• [Intl][Idn] Reject xn-- labels whose Punycode payload decodes to ASCII-only

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)