CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfonys HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesnt start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the Request class now ensures that URL paths always start with a /.

Weakness

The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.

Affected Software

Extended Description

If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as:

Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).

Potential Mitigations

References

• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml
• https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
• https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
• https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass