|
Vulnerabilities
< Back

CVE-2025-64500

Updated on 12 Nov 2025

Severity

7.3 High severity

Details

CVSS score
7.3
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony’s HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn’t start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the Request class now ensures that URL paths always start with a /.

Details

Affected product:
Laravel , Symfony , cboden/ratchet , ratchetphp/pawl , voryx/thruway
Affected packages:
cboden/ratchet @ v0.3.6 (+51 more)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony’s HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn’t start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the Request class now ensures that URL paths always start with a /.

Fixes