CVE-2025-64500 Overview
CVE-2025-64500 affects the Symfony HttpFoundation component, a widely used PHP library providing an object-oriented layer over the HTTP specification. The Request class improperly interprets certain PATH_INFO values, producing URL paths that do not begin with a / character. Applications that build access control rules assuming a /-prefixed path can be bypassed by attackers crafting requests that exploit this parsing inconsistency. The flaw maps to [CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions]. It affects Symfony versions from 2.0.0 up to the fixed releases 5.4.50, 6.4.29, and 7.3.7.
Critical Impact
Remote unauthenticated attackers can bypass URL-based access control rules in Symfony applications, potentially reaching restricted routes and resources.
Affected Products
- Symfony framework versions 2.0.0 through 5.4.49
- Symfony framework versions 6.0.0 through 6.4.28
- Symfony framework versions 7.0.0 through 7.3.6 (including the standalone symfony/http-foundation component)
Discovery Timeline
- 2025-11-12 - CVE-2025-64500 published to NVD
- 2026-01-12 - Last updated in NVD database
Technical Details for CVE-2025-64500
Vulnerability Analysis
The vulnerability resides in how Symfony's Request class parses the PATH_INFO server variable when constructing the URL path. Under specific input conditions, the resulting path string is returned without a leading /. Security middleware and firewall rules in Symfony applications typically use string prefix matching to enforce access control, such as restricting paths beginning with /admin. When the parsed path lacks the leading slash, prefix-based checks fail to match, and the request bypasses the intended authorization layer while still being routed to the underlying controller.
Root Cause
The root cause is inconsistent normalization of the PATH_INFO value inside the Request class. The parser did not enforce a canonical form requiring paths to start with /. This mismatch between the canonical assumption used by access control rules and the actual parsed value created the bypass condition. The fix introduced in versions 5.4.50, 6.4.29, and 7.3.7 ensures the Request class always returns paths prefixed with /. The remediation commit is 9962b91b12bb791322fa73836b350836b6db7cac.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request that influences the PATH_INFO parsing. The resulting non-canonical path evades firewall pattern matching, allowing the attacker to reach handlers protected by /-prefixed access rules. Exploitation requires no special privileges or user interaction. The impact is bounded by what access control logic depends on prefix matching of the request path. See the Symfony Blog Post Analysis for vendor analysis.
Detection Methods for CVE-2025-64500
Indicators of Compromise
- Web server access logs containing requests with unusual PATH_INFO constructions, particularly paths that resolve without a leading /.
- Application logs showing successful access to protected controllers without corresponding firewall or access decision audit entries.
- HTTP requests targeting administrative or restricted routes that were not preceded by an authentication event.
Detection Strategies
- Inventory deployed PHP applications and identify Symfony versions in use through composer.lock files or composer show symfony/http-foundation output.
- Compare installed versions against the fixed releases 5.4.50, 6.4.29, and 7.3.7 to flag vulnerable instances.
- Review application firewall configurations for access rules that rely on string prefix matching of the request path.
Monitoring Recommendations
- Enable verbose logging of resolved request paths and matched firewall rules in production Symfony applications.
- Forward web server and application logs to a centralized analytics platform and alert on access to sensitive routes lacking prior authentication events.
- Monitor for spikes in 200 responses on routes that should produce 401 or 403 status codes.
How to Mitigate CVE-2025-64500
Immediate Actions Required
- Upgrade symfony/http-foundation and the Symfony framework to version 5.4.50, 6.4.29, or 7.3.7 depending on the major branch in use.
- Audit application firewall and security voter configurations for assumptions that the request path always starts with /.
- Restart PHP-FPM or the application runtime after upgrading dependencies to ensure the patched code is loaded.
Patch Information
The fix is delivered through commit 9962b91b12bb791322fa73836b350836b6db7cac, which forces Request URL paths to always begin with /. Refer to the GHSA-3rg7-wf37-54rm advisory and the Symfony patch commit for details. Update via Composer using the patched constraints for the relevant branch.
Workarounds
- Where immediate patching is not possible, add a reverse proxy or web server rewrite rule that rejects or normalizes requests with malformed PATH_INFO values.
- Implement additional server-side authorization checks inside controllers rather than relying solely on path-prefix firewall rules.
- Restrict access to administrative routes at the network layer until the patched Symfony version is deployed.
# Configuration example
composer require symfony/http-foundation:^7.3.7
composer update symfony/http-foundation
php bin/console cache:clear --env=prod
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

