cbcvebase.
CVE-2025-64500
published 2025-11-12

CVE-2025-64500: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented…

PriorityP357high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
1.30%
66.8th percentile
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

Affected

19 ranges
VendorProductVersion rangeFixed in
debiansymfony< symfony 5.4.23+dfsg-1+deb12u5 (bookworm)symfony 5.4.23+dfsg-1+deb12u5 (bookworm)
sensiolabshttpfoundation>= 2.0.0 < 5.4.505.4.50
sensiolabshttpfoundation>= 6.0.0 < 6.4.296.4.29
sensiolabshttpfoundation>= 7.0.0 < 7.3.77.3.7
sensiolabssymfony>= 2.0.0 < 5.4.505.4.50
sensiolabssymfony>= 6.0.0 < 6.4.296.4.29
sensiolabssymfony>= 7.0.0 < 7.3.77.3.7
symfonyhttp-foundation>= 0 < 5.4.505.4.50
symfonyhttp-foundation>= 6.0.0 < 6.4.296.4.29
symfonyhttp-foundation>= 7.0.0 < 7.3.77.3.7
symfonysymfony
symfonysymfony
symfonysymfony
symfonysymfony>= 0 < 5.4.23+dfsg-1+deb12u55.4.23+dfsg-1+deb12u5
symfonysymfony>= 0 < 6.4.21+dfsg-2+deb13u16.4.21+dfsg-2+deb13u1
symfonysymfony>= 0 < 7.4.0~rc1+dfsg-17.4.0~rc1+dfsg-1
symfonysymfony>= 2.0.0 < 5.4.505.4.50
symfonysymfony>= 6.0.0 < 6.4.296.4.29
symfonysymfony>= 7.0.0 < 7.3.77.3.7

Detection & IOCsextracted from sources · hover to see the quote

url/{{front_controller}}_profiler/
path/index.php_profiler/
path/app.php_profiler/
urlhttps://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
  • Probe for exposed Symfony Profiler endpoint by requesting /<front_controller>_profiler/ (e.g. /index.php_profiler/ or /app.php_profiler/); a successful bypass response will contain 'Symfony Profiler', 'Profiler', or 'Symfony-Debug-Toolbar' in the body.
  • The vulnerability is triggered by PATH_INFO values that cause the Request class to produce URL paths without a leading `/`, bypassing access control rules that rely on the `/`-prefix assumption.
  • Target Symfony installations identifiable via Shodan CPE query for sensiolabs symfony; affected versions are >= 2.0.0 and < 5.4.50, 6.4.29, or 7.3.7.
  • ·The nuclei template targets only two common front-controller filenames (index.php, app.php); other front-controller names in use by a target application would not be detected.
  • ·Detection stops at the first matching front-controller payload, so only one probe result is evaluated per host.
  • ·The fix is version-specific: patches are available in 5.4.50, 6.4.29, and 7.3.7; Debian stable (bookworm) ships the fix in 5.4.23+dfsg-1+deb12u5, while bullseye remains open.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
osv7.3HIGH
vendor_debian7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.