CVE-2025-64500
November 12, 2025
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Affected Packages
symfony/http-foundation (PHP):
Affected version(s) >=v6.0.0 <v6.4.29Fix Suggestion:
Update to version v6.4.29symfony/symfony (PHP):
Affected version(s) >=v7.0.0 <v7.3.7Fix Suggestion:
Update to version v7.3.7symfony/symfony (PHP):
Affected version(s) >=v2.0.0BETA1 <v5.4.50Fix Suggestion:
Update to version v5.4.50symfony/http-foundation (PHP):
Affected version(s) >=v2.0.0 <v5.4.50Fix Suggestion:
Update to version v5.4.50symfony/http-foundation (PHP):
Affected version(s) >=v7.0.0 <v7.3.7Fix Suggestion:
Update to version v7.3.7symfony/symfony (PHP):
Affected version(s) >=v6.0.0 <v6.4.29Fix Suggestion:
Update to version v6.4.29Related ResourcesĀ (7)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Use of Non-Canonical URL Paths for Authorization Decisions
EPSS
Base Score:
0.04
