CVE-2025-64500 Scanner

The Symfony HttpFoundation component is widely used for creating and managing HTTP requests and responses in web applications. It is a crucial part of the Symfony framework, which is a popular PHP framework for building web applications. Developers across the world leverage Symfony for its structured and reusable code, thereby speeding up development and maintenance tasks. The HttpFoundation component provides tools to manage request data, sessions, and cookies in a consistent and efficient manner. It is utilized by small to large-scale applications, given its flexibility and comprehensiveness. Many businesses rely on it to ensure the smooth handling of HTTP transactions in their web services.

The vulnerability in question allows an attacker to bypass access control rules by improperly interpreting some PATH_INFO values in the HttpFoundation component. This results in altered URL paths, effectively bypassing restrictions that rely on the URL prefix assumption for authorization. Potentially, intruders could access sensitive or restricted resources within the application environment. Such access could lead to information disclosure or unauthorized modifications of resources. The vulnerability is classified as high severity due to the potential risks associated with unauthorized access to protected sections of an application.

Technically, the vulnerability exploits the Request class's parsing mechanism within Symfony's HttpFoundation component. When PATH_INFO values are not properly prefixed, URL paths may be formed erroneously, allowing malicious actors to navigate under the assumption of legitimate access. Specifically, it concerns how incoming request paths are interpreted, which might ignore necessary hierarchies for restricted access. The deficiency allows requests that should be denied under normal circumstances to get processed erroneously. Understanding and addressing this parsing issue is imperative for ensuring that access control remains effective and intact.

If exploited, the vulnerability can have significant consequences, such as unauthorized access to confidential web application areas. This could enable attackers to view or manipulate data that should otherwise be inaccessible, leading to data integrity and confidentiality breaches. Moreover, it might facilitate the exploitation of further vulnerabilities by offering an entry point or gaining necessary permissions. Organizations leveraging Symfony should be particularly wary of such access control weaknesses as they undermine fundamental security assurances.

REFERENCES

• https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
• https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
• https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
• https://nvd.nist.gov/vuln/detail/CVE-2025-64500