CVE-2025-64500
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| symfony | http_foundation | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-647 | The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Symfony PHP framework's HttpFoundation component, specifically in the Request class. In versions from 2.0.0 up to but not including 5.4.50, 6.4.29, and 7.3.7, the Request class improperly interprets some PATH_INFO values, resulting in URL paths that do not start with a '/'. This behavior can be exploited to bypass access control rules that assume URL paths always start with a '/'. The issue has been fixed in versions 5.4.50, 6.4.29, and 7.3.7 by ensuring URL paths always start with a '/'.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass access control rules that rely on the assumption that URL paths start with a '/'. By exploiting this, unauthorized users might gain access to restricted resources or perform actions they should not be allowed to, potentially leading to information disclosure, data modification, or service disruption.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Symfony HttpFoundation component to version 5.4.50, 6.4.29, 7.3.7 or later, where the Request class ensures URL paths always start with a '/'. This prevents the improper interpretation of PATH_INFO and mitigates the vulnerability.