Описание
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
Description
The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption.
Resolution
The Request class now ensures that URL paths always start with a /.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.
Ссылки
- https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
- https://nvd.nist.gov/vuln/detail/CVE-2025-64500
- https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml
- https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Пакеты
symfony/http-foundation
< 5.4.50
5.4.50
symfony/http-foundation
>= 6.0.0, < 6.4.29
6.4.29
symfony/http-foundation
>= 7.0.0, < 7.3.7
7.3.7
symfony/symfony
>= 2.0.0, < 5.4.50
5.4.50
symfony/symfony
>= 6.0.0, < 6.4.29
6.4.29
symfony/symfony
>= 7.0.0, < 7.3.7
7.3.7
Связанные уязвимости
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
Symfony is a PHP framework for web and console applications and a set ...
