PT-2025-46712 · Process+2 · Process+2
Published
2025-11-12
·
Updated
2026-04-03
·
CVE-2025-64500
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Symfony versions 2.0.0 through 5.4.49, 6.0.0 through 6.4.28, and 7.0.0 through 7.3.6
Description
Symfony's HttpFoundation component's
Request class incorrectly parses PATH INFO, potentially allowing URLs without a leading / to bypass access control rules that rely on this prefix. This issue can lead to authorization bypass.Recommendations
Update to Symfony version 5.4.50 or later.
Update to Symfony version 6.4.29 or later.
Update to Symfony version 7.3.7 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Process
Red Os