CVE-2023-49094 MEDIUM

CVE-2023-49094: Symbolicator Server Side Request Forgery vulnerability

Vendor Getsentry
Product symbolicator
Weakness CWE-918 · SSRF
Published November 30, 2023
Last update June 5, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.

Key dates

02Disclosure timeline

November 30, 2023 CVE published
June 5, 2025 Record updated