per GitHub Security alert, the current version of symfony/http-foundation is vulnerable

CVE-2019-10913 critical severity
GHSA-x92h-wmg2-6hp7

Vulnerable versions: >= 3.0.0, < 3.4.26
Patched version: 3.4.26
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

CVE-2019-18888 moderate severity
GHSA-xhh6-956q-4q69

Vulnerable versions: >= 3.0.0, < 3.4.35
Patched version: 3.4.35
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

Their suggested remediation is

Upgrade symfony/http-foundation to version 3.4.35 or later. For example:

"require": {
  "symfony/http-foundation": "3.4.35"
}