Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2025-64500 — Use of Non-Canonical URL Paths for Authorization Decisions in Httpfoundation
Severity
7.3HIGHNVD
EPSS
1.8%
top 17.00%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedNov 12
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-pref…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4
Affected Packages6 packages
Patches
🔴Vulnerability Details
4CVEList
▶
OSV▶
CVE-2025-64500: Symfony is a PHP framework for web and console applications and a set of reusable PHP components↗2025-11-12
💥Exploits & PoCs
1Nuclei▶
Symfony HttpFoundation - Access Control Bypass via PATH_INFO
📋Vendor Advisories
1Debian▶
CVE-2025-64500: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...↗2025