AI description
CVE-2025-64500 refers to an issue in Symfony's Request class related to the parsing of PATH_INFO. The class improperly interprets certain PATH_INFO, leading to URLs being represented with a path that doesn't start with a forward slash ("/"). This can allow attackers to bypass access control rules that rely on this "/"-prefix assumption. The vulnerability is addressed by ensuring that URL paths always begin with a "/". A patch is available for the 5.4 branch of Symfony. Drupal also included the fix as a hardening measure in their 11.2.8 release, although Drupal itself does not directly expose the vulnerability.
- Description
- Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.3
- Impact score
- 3.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Severity
- HIGH
- security-advisories@github.com
- CWE-647
- Hype score
- Not currently trending
CVE-2025-64500: Authorization Bypass in Symfony, 7.3 rating❗️ The vulnerability allows attackers to bypass certain access restrictions based on the leading "/" character. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/XNZRrw80AE https://t.co/VewdOZPXoa
@Netlas_io
17 Nov 2025
576 Impressions
2 Retweets
5 Likes
2 Bookmarks
0 Replies
0 Quotes
🔍 𝐒𝐲𝐦𝐟𝐨𝐧𝐲 𝐏𝐚𝐭𝐜𝐡𝐞𝐬 𝐏𝐀𝐓𝐇_𝐈𝐍𝐅𝐎 𝐏𝐚𝐫𝐬𝐢𝐧𝐠 𝐅𝐥𝐚𝐰 𝐋𝐞𝐚𝐝𝐢𝐧𝐠 𝐭𝐨 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧 𝐁𝐲𝐩𝐚𝐬𝐬 (𝐂𝐕𝐄-𝟐
@PurpleOps_io
15 Nov 2025
28 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
⚠️⚠️ CVE-2025-64500: In Symfony HTTP Foundation vulnerable versions (< 5.4.50, < 6.4.29, < 7.3.7), incorrect parsing of PATH_INFO can lead to a limited authorization bypass 🎯23.8k+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link: ht
@fofabot
14 Nov 2025
939 Impressions
3 Retweets
12 Likes
5 Bookmarks
0 Replies
0 Quotes
🚨🚨CVE-2025-64500: Symfony's PATH_INFO parser glitch lets URLs slip without leading /—bypassing access controls that assume it. Search by vul.cve Filter👉vul.cve="CVE-2025-64500" ZoomEye Dork👉app="Symfony" Found 32K+ instances on ZoomEye. ZoomEye Link: https://t.co/b
@zoomeye_team
13 Nov 2025
2491 Impressions
7 Retweets
31 Likes
11 Bookmarks
0 Replies
0 Quotes
CVE-2025-64500 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer … https://t.co/mCK0SZUQUe
@CVEnew
13 Nov 2025
190 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔐 CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass ➡️ https://t.co/hS4YbdNBMV
@symfony
12 Nov 2025
4589 Impressions
8 Retweets
29 Likes
6 Bookmarks
2 Replies
1 Quote
🔐 CVE-2025-64500: Command execution hijack on Windows with Process class ➡️ https://t.co/nvvaHvsaqp
@symfony
12 Nov 2025
2098 Impressions
3 Retweets
12 Likes
2 Bookmarks
0 Replies
0 Quotes