CVE-2025-64500
Last modified
CVE-2025-64500 is a high-severity vulnerability rated 7.3/10 on the CVSS scale. Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. EPSS estimates a 1.30% chance of exploitation in the next 30 days.
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sensiolabs | Httpfoundation | >= 2.0.0, < 5.4.50 |
| Sensiolabs | Httpfoundation | >= 6.0.0, < 6.4.29 |
| Sensiolabs | Httpfoundation | >= 7.0.0, < 7.3.7 |
| Sensiolabs | Symfony | >= 2.0.0, < 5.4.50 |
| Sensiolabs | Symfony | >= 6.0.0, < 6.4.29 |
| Sensiolabs | Symfony | >= 7.0.0, < 7.3.7 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-64500?
How severe is CVE-2025-64500?
How do I fix CVE-2025-64500?
Are you affected by CVE-2025-64500?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST