What is CVE-2025-64500?

CVE-2025-64500 is a high-severity vulnerability in Symfony, classified under CWE-647. CVSS score: 7.3/10. Published 2025-11-12.

How severe is CVE-2025-64500?

High severity. CVSS v3 base score is 7.3 out of 10.

Vulnerability in Symfony

CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to versio…

EPSS: 0.063 (91.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Symfony — versions >= 2.0.0, < 5.4.50, >= 6.0.0, < 6.4.29, >= 7.0.0, < 7.3.7

Weakness classification (CWE)

CWE-647

References

https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm (x_refsource_CONFIRM)
https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac (x_refsource_MISC)
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml (x_refsource_MISC)
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml (x_refsource_MISC)
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-64500?: CVE-2025-64500 is a high-severity vulnerability in Symfony, classified under CWE-647. CVSS score: 7.3/10. Published 2025-11-12.
How severe is CVE-2025-64500?: High severity. CVSS v3 base score is 7.3 out of 10.