Symfony IsGranted, IsSignatureValid, and IsCsrfTokenValid attributes allow defining a methods argument to only enforce checks for listed HTTP methods. An attribute defining methods GET would be ignored for a HEAD request. Since Symfony router serves HEAD requests using the GET handler, a controller protected by IsGranted with methods GET can be reached via HEAD with the authorization check silently skipped. Response headers leak and controller side effects still occur. Affected versions: Symfony 7.4.0 to 7.4.11 and 8.0.0 to 8.0.11.