CVE-2025-64500: 
PHP vulnerability analysis and mitigation

A vulnerability (CVE-2025-64500) was discovered in Symfony's HTTP Foundation component affecting versions <5.4.50, >=6, <6.4.29, and >=7, <7.3.7. The vulnerability was disclosed on November 12, 2025, and involves incorrect parsing of PATH_INFO that could lead to limited authorization bypass. The issue affects the Request class in Symfony's HTTP Foundation component and has been assigned a high severity rating with a CVSS score of 7.3 (Symfony Blog, GitHub Advisory).

The vulnerability stems from the Request class improperly interpreting certain PATH_INFO values, which results in representing some URLs with paths that don't start with a forward slash (/). This implementation flaw is classified as CWE-647 (Use of Non-Canonical URL Paths for Authorization Decisions). The vulnerability has a CVSS v3.1 base score of 7.3 with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network vector attack capability with low complexity and no required privileges or user interaction (GitHub Advisory).

The vulnerability can allow attackers to bypass certain access control rules that are built with the /-prefix assumption. This could lead to unauthorized access to protected resources, potentially compromising the security of applications built using affected Symfony versions (Symfony Blog).

The vulnerability has been patched in Symfony versions 5.4.50, 6.4.29, and 7.3.7. The fix ensures that URL paths always start with a forward slash (/). Users are strongly advised to upgrade to these patched versions. The patch is available in the Symfony repository for branch 5.4 (Symfony Blog).