diff --git a/lib/util/sfNamespacedParameterHolder.class.php b/lib/util/sfNamespacedParameterHolder.class.php
index 9b816c702..85ae5596c 100644
--- a/lib/util/sfNamespacedParameterHolder.class.php
+++ b/lib/util/sfNamespacedParameterHolder.class.php
@@ -53,11 +53,19 @@ public function __serialize()
 
     /**
      * Unserializes a sfParameterHolder instance for PHP 7.4+.
+     * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
      *
      * @param array $data
      */
     public function __unserialize($data)
     {
+        if (!is_array($data) || 2 !== \count($data)) {
+            $this->default_namespace = null;
+            $this->parameters = [];
+
+            return;
+        }
+
         $this->default_namespace = $data[0];
         $this->parameters = $data[1];
     }
diff --git a/lib/util/sfParameterHolder.class.php b/lib/util/sfParameterHolder.class.php
index 45ce953bc..82544b955 100644
--- a/lib/util/sfParameterHolder.class.php
+++ b/lib/util/sfParameterHolder.class.php
@@ -41,11 +41,18 @@ public function __serialize()
 
     /**
      * Unserializes a sfParameterHolder instance for PHP 7.4+.
+     * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
      *
      * @param array $data
      */
     public function __unserialize($data)
     {
+        if (!is_array($data)) {
+            $this->parameters = [];
+
+            return;
+        }
+
         $this->parameters = $data;
     }