CVE-2025-64500

Name	CVE-2025-64500
Description	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
symfony (PTS)	bullseye	4.4.19+dfsg-2+deb11u6	vulnerable
	bullseye (security)	4.4.19+dfsg-2+deb11u7	vulnerable
	bookworm (security), bookworm	5.4.23+dfsg-1+deb12u4	vulnerable
	trixie	6.4.21+dfsg-2	vulnerable
	forky	7.4.0~rc2+dfsg-1	fixed
	sid	7.4.0+dfsg-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
symfony	source	experimental	8.0.0~beta2+dfsg-2
symfony	source	(unstable)	7.4.0~rc1+dfsg-1

Notes

[trixie] - symfony <no-dsa> (Minor issue)
[bookworm] - symfony <no-dsa> (Minor issue)
[bullseye] - symfony <postponed> (Minor issue)
https://github.com/advisories/GHSA-3rg7-wf37-54rm
https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac (v5.4.50, v6.4.29, v7.3.7)