{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-64500","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-11-05T19:12:25.103Z","datePublished":"2025-11-12T21:40:57.738Z","dateUpdated":"2025-11-13T16:50:55.341Z"},"containers":{"cna":{"title":"Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass","problemTypes":[{"descriptions":[{"cweId":"CWE-647","lang":"en","description":"CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.1"}}],"references":[{"name":"https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm","tags":["x_refsource_CONFIRM"],"url":"https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm"},{"name":"https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac","tags":["x_refsource_MISC"],"url":"https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac"},{"name":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml","tags":["x_refsource_MISC"],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml"},{"name":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml","tags":["x_refsource_MISC"],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml"},{"name":"https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass","tags":["x_refsource_MISC"],"url":"https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass"}],"affected":[{"vendor":"symfony","product":"symfony","versions":[{"version":">= 2.0.0, < 5.4.50","status":"affected"},{"version":">= 6.0.0, < 6.4.29","status":"affected"},{"version":">= 7.0.0, < 7.3.7","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-11-12T21:40:57.738Z"},"descriptions":[{"lang":"en","value":"Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`."}],"source":{"advisory":"GHSA-3rg7-wf37-54rm","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-13T16:50:43.104313Z","id":"CVE-2025-64500","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-13T16:50:55.341Z"}}]}}