CVE-2025-64500

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

CVSS v3.1 Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Weakness Type (CWE)

CWE-647 CWE-647

Affected Products

Vendor	Product	Versions
sensiolabs	httpfoundation	2.0.0 — 5.4.50
sensiolabs	httpfoundation	6.0.0 — 6.4.29
sensiolabs	httpfoundation	7.0.0 — 7.3.7
sensiolabs	symfony	2.0.0 — 5.4.50
sensiolabs	symfony	6.0.0 — 6.4.29
sensiolabs	symfony	7.0.0 — 7.3.7

References

Advisories & Patches

https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm

Other References

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

Frequently Asked Questions

What is CVE-2025-64500? +

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`. It has a CVSS v3.1 base score of 7.3 (HIGH).

How severe is CVE-2025-64500? +

CVE-2025-64500 has a CVSS v3.1 score of 7.3 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2025-64500? +

CVE-2025-64500 affects products from sensiolabs, specifically: httpfoundation, symfony. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-64500? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-5222

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting …

CVE-2025-66202 6.5

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker …

CVE-2025-47241 4.0

In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the …

CVE-2025-43916 3.4

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which …

CVE-2024-50342 3.1

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. …

CVE-2024-50345 3.1

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` …