Edge Side Includes or ESI is a small markup language for edge level dynamic web content assembly. The ESI specification describes tags you can embed in your pages to communicate with the gateway cache.

Your Symfony web application is configured to run with ESI (Edge-Side Includes) enabled. When ESI is enabled, the endpoint /_fragment can be used to run arbitrary PHP code if the Symfony configuration value secret is weak/predictable.


Make sure your Symfony web application is using a strong value for Symfony's configuration value secret and consider disabling ESI (if not required) via

# config/packages/framework.yaml
    # ...
    esi: false


Related Vulnerabilities