AIKIDO-2025-10807
symfony/http-foundation is vulnerable to Authorization Bypass
81
High Risk
This Affects:
symfony/http-foundationTL;DR
Affected versions of this package are vulnerable to an authorization bypass. The Request class improperly handles certain PATH_INFO values, allowing URLs to be represented without a leading /. This behavior can bypass access control mechanisms that rely on the assumption that all paths begin with a /.
Who does this affect?
You are affected if you are using a version which is within vulnerability ranges
Background info
symfony/http-foundation is vulnerable to Authorization Bypass in versions 2.0.0 - 5.4.49, 6.0.0 - 6.4.28 and 7.0.0 - 7.3.6.
How to fix this
Upgrade the symfony/http-foundation library to a patch version.
Links
Other
symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yamlgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant