Symfony Patches PATH_INFO Parsing Flaw Leading to Authorization Bypass (CVE-2025-64500)
Ddos 
The Symfony project has released security updates to address a newly disclosed vulnerability affecting its widely used HTTP Foundation component. Tracked as CVE-2025-64500 and rated CVSS 7.3, the flaw stems from incorrect parsing of the PATH_INFO value and could enable limited authorization bypass in certain applications using the framework.
Symfony describes itself as “a PHP framework for web and console applications and a set of reusable PHP components,” noting that it is “used by thousands of web applications and most of the popular PHP projects.”
The vulnerability originates from how Symfony’s Request class interprets some URL paths. According to the advisory, “The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn’t start with a /.”
This seemingly small deviation can have significant consequences for applications that rely on a leading slash to enforce access rules. The project warns that this behavior “can allow bypassing some access control rules that are built with this /-prefix assumption.”
The vulnerability impacts multiple major branches of Symfony:
| Symfony Version | Status |
|---|---|
| < 5.4.50 | Vulnerable |
| >= 6.0 and < 6.4.29 | Vulnerable |
| >= 7.0 and < 7.3.7 | Vulnerable |
Symfony confirms that “The issue has been fixed in Symfony 5.4.50, 6.4.29, and 7.3.7.”
To remediate the flaw, the Symfony team updated the Request class to enforce consistent URL normalization. As stated in the advisory: “The Request class now ensures that URL paths always start with a /.”
A patch has been made available for the 5.4 branch, and corresponding updates have been released for all affected long-term support and stable versions.
Donate