CVE-2025-64500: 
PHP vulnerability analysis and mitigation

Symfony, a PHP framework for web and console applications, disclosed a security vulnerability (CVE-2025-64500) affecting its HttpFoundation component. The vulnerability was discovered in versions starting from 2.0.0 and prior to versions 5.4.50, 6.4.29, and 7.3.7. The issue involves improper interpretation of PATH_INFO in the Request class, which could lead to URLs being represented without a leading forward slash (Symfony Blog, NVD).

The vulnerability stems from the Request class's improper handling of PATH_INFO interpretation, specifically in the preparePathInfo method. The issue allows some URLs to be represented with paths that don't start with a forward slash (/), potentially undermining security assumptions. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The weakness is categorized as CWE-647 (Use of Non-Canonical URL Paths for Authorization Decisions) (GitHub Advisory, Miggo).

The vulnerability can allow attackers to bypass certain access control rules that are built with the /-prefix assumption. This could lead to unauthorized access to protected resources, potentially compromising the security of applications using affected Symfony versions (GitHub Advisory).

The vulnerability has been fixed in Symfony versions 5.4.50, 6.4.29, and 7.3.7. The patch ensures that the Request class now properly validates URL paths to always start with a forward slash. Users are strongly advised to upgrade to these patched versions (Symfony Blog).

The community has actively discussed the vulnerability on various platforms. Comments on the Symfony blog indicate some users experienced issues detecting the vulnerability through composer audit, while others confirmed its detection in their projects (Symfony Blog).