CVE CyberSecurity Database News

CVE-2025-64500 - Path Traversal Bypass in Symfony’s HttpFoundation Component

Poster -

A new critical security vulnerability, CVE-2025-64500, has been uncovered in the popular PHP framework, Symfony. More specifically, it affects Symfony’s HttpFoundation component—which is used widely in web and console applications as the backbone for HTTP handling.

This flaw allows certain URLs to be misinterpreted by the Request class, causing it to process web paths even if they don't begin with a /. If you use access controls that rely on every path starting with /, this could let attackers sneak through your protections.

Let’s break down what’s happening, how you’re affected, the exploit pathway, security patches, and how to fix your apps.

7.3.7

If you’re running any version before these patch releases, you are vulnerable.

What is the Problem?

Symfony’s Request class handles HTTP requests, breaking down the URL and providing methods like getPathInfo() to get pieces of the route. Many devs and libraries assume that every returned path will start with a /. For example, /admin or /profile.

But due to a bug, certain requests with a crafted PATH_INFO could return a route with no starting slash. If your access controls depend on the presence of / at the beginning, attackers might bypass them by using weirdly structured URLs.

Imagine you set up a firewall or access control like this

if (strpos($request->getPathInfo(), '/admin') === ) {
    // Only allow admin users!
    if (!$user->isAdmin()) {
        throw new AccessDeniedException('Not authorized!');
    }
}

You think you’re safe. Only /admin and below will enter this logic.

The Trick

But thanks to CVE-2025-64500, an attacker crafts a request where PATH_INFO does not start with /, like:

GET //admin HTTP/1.1
Host: victim.com

or uses encoded tricks to manipulate PATH_INFO behind the scenes.

Symfony’s internal request parser could, under the hood, interpret this such that getPathInfo() returns admin (no leading /), bypassing your strpos() check!

As a result, the logic never detects it’s an admin path—even though your app might route it that way. Access control: broken!

Vulnerable code

use Symfony\Component\HttpFoundation\Request;

$request = Request::createFromGlobals();

if (strpos($request->getPathInfo(), '/admin') === ) {
    die('Admin access only.');
} else {
    die('Welcome, user!');
}

Exploiting it (simulating PATH_INFO)

curl -H "PATH_INFO: admin/secret" http://localhost/index.php
# Output: Welcome, user!

The check fails, because the path info is 'admin/secret' instead of '/admin/secret'.

7.3.7

Symfony now ensures that every path processed always starts with a /, eliminating this attack vector.

Relevant PR and announcement

- Symfony security advisory
- Commit patch (example link)

1. Upgrade Symfony

Update your symfony/http-foundation dependency to at least the minimal safe version for your release branch.

composer update symfony/http-foundation

Until you can patch, sanitize path info manually

$path = $request->getPathInfo();
if ($path[] !== '/') {
    $path = '/' . $path;
}

3. Review Access Controls

Check any place you trust routing or path checks. Make sure you don’t assume all paths start with a /!

Conclusion

CVE-2025-64500 is an urgent reminder that small assumptions can break big security. If you’re using any affected Symfony version, update now. Until you can, add extra slash checks around your route paths.

For more

- Symfony Security Advisories
- Github issue tracking this bug

Stay secure!

*Written exclusively for you by AI – designed for clarity and impact. If you’re a Symfony developer or deploy PHP apps, don’t wait. Patch now and audit your path assumptions.*

Timeline

Published on: 11/12/2025 22:15:50 UTC
Last modified on: 11/14/2025 16:42:03 UTC