CVE-2025-64500
Published: 12 November 2025
Summary
CVE-2025-64500 is a high-severity Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647) vulnerability in Sensiolabs Httpfoundation. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Symfony's HttpFoundation component, used within the Symfony PHP framework for web and console applications, is affected by CVE-2025-64500. In versions from 2.0.0 through 5.4.49, 6.4.28, and 7.3.6, the Request class mishandles certain PATH_INFO inputs, resulting in URL paths that do not begin with a leading slash. This behavior deviates from the expectations of access-control logic that assumes all paths are prefixed with /, and the issue is tracked under CWE-647.
An unauthenticated remote attacker can send crafted HTTP requests that trigger the flawed path representation. Successful exploitation allows limited bypass of authorization rules that depend on the slash prefix, potentially exposing resources with impacts to confidentiality, integrity, and availability as reflected in the CVSS 7.3 score.
Symfony security advisories and the corresponding patches direct users to upgrade to versions 5.4.50, 6.4.29, or 7.3.7 or later. These releases modify the Request class to enforce that all URL paths begin with a forward slash; the change is documented in the referenced GitHub commit and the official Symfony blog post. The EPSS score remains low with only minimal movement between its current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-131928
Vulnerability details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7,…
more
the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.