{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T17:16:47.603","vulnerabilities":[{"cve":{"id":"CVE-2025-64500","sourceIdentifier":"security-advisories@github.com","published":"2025-11-12T22:15:50.127","lastModified":"2026-01-12T17:49:20.307","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-647"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"5.4.50","matchCriteriaId":"5D588185-C231-41DD-AE26-9EF1B0455E74"},{"vulnerable":true,"criteria":"cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.4.29","matchCriteriaId":"BB2A74C0-A989-4BAB-BDB3-0A65864B562A"},{"vulnerable":true,"criteria":"cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.3.7","matchCriteriaId":"3F169B04-38C4-4825-A5A2-F010F1BC3D82"},{"vulnerable":true,"criteria":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"5.4.50","matchCriteriaId":"6E3ADEC4-C8AE-415E-969F-5B4D1C1C701C"},{"vulnerable":true,"criteria":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.4.29","matchCriteriaId":"6E769614-2F0D-4DD4-871D-8AE245F3EC9C"},{"vulnerable":true,"criteria":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.3.7","matchCriteriaId":"6AFA7FF2-0E23-4EC8-923E-3A4A69C75B13"}]}]}],"references":[{"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}}]}