CVE-2025-64500
published 2025-11-12CVE-2025-64500: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented…
PriorityP357high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
1.30%
66.8th percentile
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | symfony | < symfony 5.4.23+dfsg-1+deb12u5 (bookworm) | symfony 5.4.23+dfsg-1+deb12u5 (bookworm) |
| sensiolabs | httpfoundation | >= 2.0.0 < 5.4.50 | 5.4.50 |
| sensiolabs | httpfoundation | >= 6.0.0 < 6.4.29 | 6.4.29 |
| sensiolabs | httpfoundation | >= 7.0.0 < 7.3.7 | 7.3.7 |
| sensiolabs | symfony | >= 2.0.0 < 5.4.50 | 5.4.50 |
| sensiolabs | symfony | >= 6.0.0 < 6.4.29 | 6.4.29 |
| sensiolabs | symfony | >= 7.0.0 < 7.3.7 | 7.3.7 |
| symfony | http-foundation | >= 0 < 5.4.50 | 5.4.50 |
| symfony | http-foundation | >= 6.0.0 < 6.4.29 | 6.4.29 |
| symfony | http-foundation | >= 7.0.0 < 7.3.7 | 7.3.7 |
| symfony | symfony | — | — |
| symfony | symfony | — | — |
| symfony | symfony | — | — |
| symfony | symfony | >= 0 < 5.4.23+dfsg-1+deb12u5 | 5.4.23+dfsg-1+deb12u5 |
| symfony | symfony | >= 0 < 6.4.21+dfsg-2+deb13u1 | 6.4.21+dfsg-2+deb13u1 |
| symfony | symfony | >= 0 < 7.4.0~rc1+dfsg-1 | 7.4.0~rc1+dfsg-1 |
| symfony | symfony | >= 2.0.0 < 5.4.50 | 5.4.50 |
| symfony | symfony | >= 6.0.0 < 6.4.29 | 6.4.29 |
| symfony | symfony | >= 7.0.0 < 7.3.7 | 7.3.7 |
Detection & IOCsextracted from sources · hover to see the quote
url/{{front_controller}}_profiler/
path/index.php_profiler/
path/app.php_profiler/
urlhttps://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
- →Probe for exposed Symfony Profiler endpoint by requesting /<front_controller>_profiler/ (e.g. /index.php_profiler/ or /app.php_profiler/); a successful bypass response will contain 'Symfony Profiler', 'Profiler', or 'Symfony-Debug-Toolbar' in the body.
- →The vulnerability is triggered by PATH_INFO values that cause the Request class to produce URL paths without a leading `/`, bypassing access control rules that rely on the `/`-prefix assumption. ↗
- →Target Symfony installations identifiable via Shodan CPE query for sensiolabs symfony; affected versions are >= 2.0.0 and < 5.4.50, 6.4.29, or 7.3.7.
- ·The nuclei template targets only two common front-controller filenames (index.php, app.php); other front-controller names in use by a target application would not be detected.
- ·Detection stops at the first matching front-controller payload, so only one probe result is evaluated per host.
- ·The fix is version-specific: patches are available in 5.4.50, 6.4.29, and 7.3.7; Debian stable (bookworm) ships the fix in 5.4.23+dfsg-1+deb12u5, while bullseye remains open. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
osv7.3HIGH
vendor_debian7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-64500: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...
vendor_debian·2025·CVSS 7.3
CVE-2025-64500 [HIGH] CVE-2025-64500: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
Scope: local
bookworm: resolved (fixed in 5.4.23+dfsg-1+deb12u5)
bullseye: open
forky: resolved (fixed in 7.4.0~rc1+dfsg-1)
sid: resolved (fixed in 7.4.0~rc1+dfsg-1)
GHSA
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
ghsa·2025-11-12
CVE-2025-64500 [HIGH] CWE-647 Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
### Description
The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.
### Resolution
The `Request` class now ensures that URL paths always start with a `/`.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac) for branch 5.4.
### Credits
We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.
OSV
CVE-2025-64500: Symfony is a PHP framework for web and console applications and a set of reusable PHP components
osv·2025-11-12·CVSS 7.3
CVE-2025-64500 [HIGH] CVE-2025-64500: Symfony is a PHP framework for web and console applications and a set of reusable PHP components
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
OSV
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
osv·2025-11-12
CVE-2025-64500 [HIGH] Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
### Description
The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.
### Resolution
The `Request` class now ensures that URL paths always start with a `/`.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac) for branch 5.4.
### Credits
We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.
No detection rules found.
Nuclei
Symfony HttpFoundation - Access Control Bypass via PATH_INFO
nuclei·CVSS 7.3
CVE-2025-64500 [HIGH] Symfony HttpFoundation - Access Control Bypass via PATH_INFO
Symfony HttpFoundation - Access Control Bypass via PATH_INFO
Symfony HttpFoundation component >= 2.0.0 and prior to versions 5.4.50, 6.4.29, and 7.3.7 contains an access control bypass vulnerability. The Request class improperly interprets some PATH_INFO values, producing URL paths without a leading `/`. This allows bypassing access control rules that are built with the `/-prefix` assumption.
Template:
id: CVE-2025-64500
info:
name: Symfony HttpFoundation - Access Control Bypass via PATH_INFO
author: DhiyaneshDk
severity: high
description: |
Symfony HttpFoundation component >= 2.0.0 and prior to versions 5.4.50, 6.4.29, and 7.3.7 contains an access control bypass vulnerability. The Request class improperly interprets some PATH_INFO values, producing URL paths without a leading `/`. Thi
No writeups or analysis indexed.
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yamlhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yamlhttps://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cachttps://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rmhttps://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
2025-11-12
Published