Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

INFO

Published Date :

2025-11-12T21:40:57.738Z

Last Modified :

2025-11-13T16:50:55.341Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64500 vulnerability.

Vendors Products
Sensiolabs
  • Httpfoundation
  • Symfony
Symfony
  • Symfony
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64500.

URL Resource
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml cve-icon cve-icon
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml cve-icon cve-icon
https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac cve-icon cve-icon
https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm cve-icon cve-icon
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact