CVE-2025-64500

Published Nov 12, 2025

Last updated 2 months ago

CVSS high 7.3
Symfony
HTTP

Overview

Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
Source
security-advisories@github.com
NVD status
Analyzed
Products
httpfoundation, symfony

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.3
Impact score
3.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-647

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #AuthorizationBypass Symfony Patches PATH_INFO Parsing Flaw Leading to Authorization Bypass (CVE-2025-64500) https://t.co/Dw2h7h39wi

    @Komodosec

    22 Dec 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Une faille dans Symfony permet de contourner les règles d'accès - CVE-2025-64500 https://t.co/7zY5T7ugQn

    @ytroncal

    1 Dec 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-64500: Authorization Bypass in Symfony, 7.3 rating❗️ The vulnerability allows attackers to bypass certain access restrictions based on the leading "/" character. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/XNZRrw80AE https://t.co/VewdOZPXoa

    @Netlas_io

    17 Nov 2025

    1176 Impressions

    3 Retweets

    11 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  4. 🔍 𝐒𝐲𝐦𝐟𝐨𝐧𝐲 𝐏𝐚𝐭𝐜𝐡𝐞𝐬 𝐏𝐀𝐓𝐇_𝐈𝐍𝐅𝐎 𝐏𝐚𝐫𝐬𝐢𝐧𝐠 𝐅𝐥𝐚𝐰 𝐋𝐞𝐚𝐝𝐢𝐧𝐠 𝐭𝐨 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧 𝐁𝐲𝐩𝐚𝐬𝐬 (𝐂𝐕𝐄-𝟐

    @PurpleOps_io

    15 Nov 2025

    28 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  5. ⚠️⚠️ CVE-2025-64500: In Symfony HTTP Foundation vulnerable versions (< 5.4.50, < 6.4.29, < 7.3.7), incorrect parsing of PATH_INFO can lead to a limited authorization bypass 🎯23.8k+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link: ht

    @fofabot

    14 Nov 2025

    939 Impressions

    3 Retweets

    12 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨🚨CVE-2025-64500: Symfony's PATH_INFO parser glitch lets URLs slip without leading /—bypassing access controls that assume it. Search by vul.cve Filter👉vul.cve="CVE-2025-64500" ZoomEye Dork👉app="Symfony" Found 32K+ instances on ZoomEye. ZoomEye Link: https://t.co/b

    @zoomeye_team

    13 Nov 2025

    2491 Impressions

    7 Retweets

    31 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-64500 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer … https://t.co/mCK0SZUQUe

    @CVEnew

    13 Nov 2025

    190 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🔐 CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass ➡️ https://t.co/hS4YbdNBMV

    @symfony

    12 Nov 2025

    4589 Impressions

    8 Retweets

    29 Likes

    6 Bookmarks

    2 Replies

    1 Quote

  9. 🔐 CVE-2025-64500: Command execution hijack on Windows with Process class ➡️ https://t.co/nvvaHvsaqp

    @symfony

    12 Nov 2025

    2098 Impressions

    3 Retweets

    12 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.CVE-2026-25615
  2. Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.CVE-2026-24739
  3. Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).CVE-2026-21962
  4. Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.CVE-2026-22864
  5. Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.CVE-2026-22863

References

Sources include official advisories and independent security research.