Cyber Resilience

CVE-2025-64500

High

Published: 12 November 2025

Published
12 November 2025
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0631 91.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64500 is a high-severity Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647) vulnerability in Sensiolabs Httpfoundation. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Symfony's HttpFoundation component, used within the Symfony PHP framework for web and console applications, is affected by CVE-2025-64500. In versions from 2.0.0 through 5.4.49, 6.4.28, and 7.3.6, the Request class mishandles certain PATH_INFO inputs, resulting in URL paths that do not begin with a leading slash. This behavior deviates from the expectations of access-control logic that assumes all paths are prefixed with /, and the issue is tracked under CWE-647.

An unauthenticated remote attacker can send crafted HTTP requests that trigger the flawed path representation. Successful exploitation allows limited bypass of authorization rules that depend on the slash prefix, potentially exposing resources with impacts to confidentiality, integrity, and availability as reflected in the CVSS 7.3 score.

Symfony security advisories and the corresponding patches direct users to upgrade to versions 5.4.50, 6.4.29, or 7.3.7 or later. These releases modify the Request class to enforce that all URL paths begin with a forward slash; the change is documented in the referenced GitHub commit and the official Symfony blog post. The EPSS score remains low with only minimal movement between its current and peak values.

EU & UK References

Vulnerability details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7,…

more

the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sensiolabs
httpfoundation
2.0.0 — 5.4.50 · 6.0.0 — 6.4.29 · 7.0.0 — 7.3.7
sensiolabs
symfony
2.0.0 — 5.4.50 · 6.0.0 — 6.4.29 · 7.0.0 — 7.3.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References