High severityNVD Advisory· Published Nov 12, 2025· Updated Nov 13, 2025

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass

CVE-2025-64500

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the Request class now ensures that URL paths always start with a /.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
symfony/http-foundationPackagist	< 5.4.50	5.4.50
symfony/http-foundationPackagist	>= 6.0.0, < 6.4.29	6.4.29
symfony/http-foundationPackagist	>= 7.0.0, < 7.3.7	7.3.7
symfony/symfonyPackagist	>= 2.0.0, < 5.4.50	5.4.50
symfony/symfonyPackagist	>= 6.0.0, < 6.4.29	6.4.29
symfony/symfonyPackagist	>= 7.0.0, < 7.3.7	7.3.7

Affected products

Sensiolabs/Symfonyv5
Range: >= 2.0.0, < 5.4.50

Patches

9962b91b12bb

[HttpFoundation] Fix parsing pathinfo with no leading slash

https://github.com/symfony/symfonyNicolas GrekasOct 31, 2025via ghsa

commit

2 files changed · +12 −3

src/Symfony/Component/HttpFoundation/Request.php+2 −3 modified

@@ -1983,9 +1983,8 @@ protected function preparePathInfo()
         }
 
         $pathInfo = substr($requestUri, \strlen($baseUrl));
-        if (false === $pathInfo || '' === $pathInfo) {
-            // If substr() returns false then PATH_INFO is set to an empty string
-            return '/';
+        if (false === $pathInfo || '' === $pathInfo || '/' !== $pathInfo[0]) {
+            return '/'.$pathInfo;
         }
 
         return $pathInfo;

src/Symfony/Component/HttpFoundation/Tests/RequestTest.php+10 −0 modified

@@ -1876,6 +1876,16 @@ public static function getBaseUrlData()
                 '',
                 '/foo/api/bar',
             ],
+            [
+                '/api/index.phpfoo',
+                [
+                    'SCRIPT_FILENAME' => '/var/www/api/index.php',
+                    'SCRIPT_NAME' => '/api/index.php',
+                    'PHP_SELF' => '/api/index.php',
+                ],
+                '/api/index.php',
+                '/foo',
+            ],
         ];
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3rg7-wf37-54rmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-64500ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yamlghsax_refsource_MISCWEB
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yamlghsax_refsource_MISCWEB
github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cacghsax_refsource_MISCWEB
github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rmghsax_refsource_CONFIRMWEB
symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypassghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000