Home

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

PUBLISHED Reserved 2025-11-05 | Published 2025-11-12 | Updated 2025-11-13 | Assigner GitHub_M




HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions

Product status

>= 2.0.0, < 5.4.50
affected

>= 6.0.0, < 6.4.29
affected

>= 7.0.0, < 7.3.7
affected

References

github.com/...ymfony/security/advisories/GHSA-3rg7-wf37-54rm

github.com/...ommit/9962b91b12bb791322fa73836b350836b6db7cac

github.com/...er/symfony/http-foundation/CVE-2025-64500.yaml

github.com/...lob/master/symfony/symfony/CVE-2025-64500.yaml

symfony.com/...info-can-lead-to-limited-authorization-bypass

cve.org (CVE-2025-64500)

nvd.nist.gov (CVE-2025-64500)

Download JSON