- Description
- Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- httpfoundation, symfony
CVSS 3.1
- Type
- Secondary
- Base score
- 7.3
- Impact score
- 3.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Severity
- HIGH
- security-advisories@github.com
- CWE-647
- Hype score
- Not currently trending
๐จ CVE-2025-64500 - high ๐จ Symfony HttpFoundation - Access Control Bypass via PATH_INFO > Symfony HttpFoundation component >= 2.0.0 and prior to versions 5.4.50, 6.4.29, and 7... ๐พ https://t.co/mTCfBsqYa0 @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
3 Apr 2026
220 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
#VulnerabilityReport #AuthorizationBypass Symfony Patches PATH_INFO Parsing Flaw Leading to Authorization Bypass (CVE-2025-64500) https://t.co/Dw2h7h39wi
@Komodosec
22 Dec 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Une faille dans Symfony permet de contourner les rรจgles d'accรจs - CVE-2025-64500 https://t.co/7zY5T7ugQn
@ytroncal
1 Dec 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64500: Authorization Bypass in Symfony, 7.3 ratingโ๏ธ The vulnerability allows attackers to bypass certain access restrictions based on the leading "/" character. Search at https://t.co/hv7QKSqxTR: ๐ Link: https://t.co/XNZRrw80AE https://t.co/VewdOZPXoa
@Netlas_io
17 Nov 2025
1176 Impressions
3 Retweets
11 Likes
5 Bookmarks
0 Replies
0 Quotes
๐ ๐๐ฒ๐ฆ๐๐จ๐ง๐ฒ ๐๐๐ญ๐๐ก๐๐ฌ ๐๐๐๐_๐๐๐ ๐ ๐๐๐ซ๐ฌ๐ข๐ง๐ ๐ ๐ฅ๐๐ฐ ๐๐๐๐๐ข๐ง๐ ๐ญ๐จ ๐๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐๐ญ๐ข๐จ๐ง ๐๐ฒ๐ฉ๐๐ฌ๐ฌ (๐๐๐-๐
@PurpleOps_io
15 Nov 2025
28 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
โ ๏ธโ ๏ธ CVE-2025-64500: In Symfony HTTP Foundation vulnerable versions (< 5.4.50, < 6.4.29, < 7.3.7), incorrect parsing of PATH_INFO can lead to a limited authorization bypass ๐ฏ23.8k+ Results are found on the https://t.co/pb16tGYaKe nearly year. ๐FOFA Link: ht
@fofabot
14 Nov 2025
939 Impressions
3 Retweets
12 Likes
5 Bookmarks
0 Replies
0 Quotes
๐จ๐จCVE-2025-64500: Symfony's PATH_INFO parser glitch lets URLs slip without leading /โbypassing access controls that assume it. Search by vul.cve Filter๐vul.cve="CVE-2025-64500" ZoomEye Dork๐app="Symfony" Found 32K+ instances on ZoomEye. ZoomEye Link: https://t.co/b
@zoomeye_team
13 Nov 2025
2491 Impressions
7 Retweets
31 Likes
11 Bookmarks
0 Replies
0 Quotes
CVE-2025-64500 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer โฆ https://t.co/mCK0SZUQUe
@CVEnew
13 Nov 2025
190 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐ CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass โก๏ธ https://t.co/hS4YbdNBMV
@symfony
12 Nov 2025
4589 Impressions
8 Retweets
29 Likes
6 Bookmarks
2 Replies
1 Quote
๐ CVE-2025-64500: Command execution hijack on Windows with Process class โก๏ธ https://t.co/nvvaHvsaqp
@symfony
12 Nov 2025
2098 Impressions
3 Retweets
12 Likes
2 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D588185-C231-41DD-AE26-9EF1B0455E74",
"versionEndExcluding": "5.4.50",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2A74C0-A989-4BAB-BDB3-0A65864B562A",
"versionEndExcluding": "6.4.29",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F169B04-38C4-4825-A5A2-F010F1BC3D82",
"versionEndExcluding": "7.3.7",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E3ADEC4-C8AE-415E-969F-5B4D1C1C701C",
"versionEndExcluding": "5.4.50",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E769614-2F0D-4DD4-871D-8AE245F3EC9C",
"versionEndExcluding": "6.4.29",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6AFA7FF2-0E23-4EC8-923E-3A4A69C75B13",
"versionEndExcluding": "7.3.7",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]