How to remediate – Symfony Debug Mode Enabled

Contents

1. Introduction

Symfony Debug Mode Enabled allows developers access to tools like a web profiler and debug toolbar for troubleshooting applications. This exposes sensitive information about application requests and configuration, creating a high severity risk. A successful exploit could lead to data disclosure, impacting confidentiality of user data and potentially the integrity of the application. Systems running Symfony PHP web applications are usually affected.

2. Technical Explanation

Symfony’s debug mode provides detailed information useful for development but unsafe in a production environment. An unauthenticated attacker can access this information remotely, revealing internal paths and configuration details. The vulnerability exists when the application is running with `APP_DEBUG=1` or if access to `app_dev.php` isn’t restricted. A simple HTTP request to specific URLs can expose sensitive data.

Root cause: Debug mode enabled in a production environment, or unrestricted access to development files.
Exploit mechanism: An attacker sends an HTTP request to the application while debug mode is active, retrieving detailed error messages, profiler data and potentially PHP configuration information. For example, accessing `/app_dev.php/config` could reveal sensitive settings.
Scope: Symfony PHP web applications of all versions are affected if debug mode is enabled in production or `app_dev.php` is publicly accessible.

3. Detection and Assessment

Confirming the vulnerability involves checking the application’s configuration and access controls. A quick check can identify whether debug mode is active, while a thorough method verifies access restrictions.

Quick checks: Check the `.env` file for `APP_DEBUG=1`. Examine the web server configuration to see if `app_dev.php` is publicly accessible.
Scanning: Nessus or other vulnerability scanners may identify this issue with relevant plugins, but manual verification is recommended.
Logs and evidence: Look for detailed error messages in application logs that reveal internal paths or sensitive data. Accessing `/app_dev.php` should not be possible from outside localhost.

curl -I https://your-symfony-application.com/app_dev.php # Check HTTP status code, it should be 403 Forbidden if restricted to localhost.

4. Solution / Remediation Steps

Fixing this issue requires disabling debug mode and restricting access to development files. These steps are small, testable, and safe to roll back.

4.1 Preparation

Ensure you have access to modify the application’s environment variables and web server configuration. A roll back plan is to restore the original `.env` file and restart the web server.
A change window may be needed depending on your organisation’s policies, with approval from the IT security team.

4.2 Implementation

Step 1: Edit the `.env` file and set `APP_DEBUG=0`.
Step 2: Clear the application cache using `php bin/console cache:clear –env=prod`.
Step 3: Restart the web server.
Step 4: If running an older Symfony version, configure your webserver to restrict access to `/app_dev.php` to localhost only.

4.3 Config or Code Example

Before

APP_DEBUG=1

After

APP_DEBUG=0

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.

Practice 1: Secure configuration management – ensure sensitive settings are not exposed in publicly accessible files or repositories.
Practice 2: Least privilege – limit access to development environments and tools to authorised personnel only.

4.5 Automation (Optional)

# Example Ansible task to set APP_DEBUG=0 in .env file
- name: Disable Symfony Debug Mode
  lineinfile:
    path: /path/to/your/symfony/.env
    regexp: '^APP_DEBUG='
    line: 'APP_DEBUG=0'
  notify: Restart web server # Ensure the web server is restarted after changes.

5. Verification / Validation

Confirming the fix involves checking the application configuration and verifying that debug information is no longer accessible. Provide commands, expected outputs, and a short negative test if possible.

Post-fix check: Check the `.env` file to confirm `APP_DEBUG=0`.
Re-test: Attempt to access `/app_dev.php/config` via a web browser; it should return a 403 Forbidden error.
Monitoring: Monitor application logs for any unexpected errors or access attempts to `/app_dev.php`.

curl -I https://your-symfony-application.com/app_dev.php # Expected output: HTTP/1.1 403 Forbidden

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

Baselines: Update security baselines or policies to include a requirement for disabling debug mode in production environments.
Pipelines: Implement checks in CI/CD pipelines to prevent deployment of applications with debug mode enabled in production.
Asset and patch process: Review application configurations regularly as part of an asset management process, ensuring compliance with security standards.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Disabling debug mode may require additional logging for troubleshooting production issues.
Risk or side effect 2: Incorrect web server configuration could lead to service downtime.
Roll back: Restore the original `.env` file, clear the application cache, and restart the web server.

8. References and Resources

Vendor advisory or bulletin: https://symfony.com/doc/6.3/configuration/front_controllers_and_kernel.html#debug-mode
NVD or CVE entry: Not applicable, this is a configuration issue rather than a specific vulnerability with a CVE.
Product or platform documentation relevant to the fix: https://symfony.com/doc/6.3/configuration/front_controllers_and_kernel.html#debug-mode

Updated on December 27, 2025

Was this article helpful?

Yes No