Symfony Patches PATH_INFO Parsing Flaw Leading to Authorization Bypass (CVE-2025-64500)
Do Son 
The Symfony project has released security updates to address a newly disclosed vulnerability affecting its widely used HTTP Foundation component. Tracked as CVE-2025-64500 and rated CVSS 7.3, the flaw stems from incorrect parsing of the PATH_INFO value and could enable limited authorization bypass in certain applications using the framework.
Symfony describes itself as βa PHP framework for web and console applications and a set of reusable PHP components,β noting that it is βused by thousands of web applications and most of the popular PHP projects.β
The vulnerability originates from how Symfonyβs Request class interprets some URL paths. According to the advisory, βThe Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn’t start with a /.β
This seemingly small deviation can have significant consequences for applications that rely on a leading slash to enforce access rules. The project warns that this behavior βcan allow bypassing some access control rules that are built with this /-prefix assumption.β
The vulnerability impacts multiple major branches of Symfony:
| Symfony Version | Status |
|---|---|
| < 5.4.50 | Vulnerable |
| >= 6.0 and < 6.4.29 | Vulnerable |
| >= 7.0 and < 7.3.7 | Vulnerable |
Symfony confirms that βThe issue has been fixed in Symfony 5.4.50, 6.4.29, and 7.3.7.β
To remediate the flaw, the Symfony team updated the Request class to enforce consistent URL normalization. As stated in the advisory: βThe Request class now ensures that URL paths always start with a /.β
A patch has been made available for the 5.4 branch, and corresponding updates have been released for all affected long-term support and stable versions.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
