Symfony HttpFoundation - Access Control Bypass via PATH_INFO

Symfony HttpFoundation component = 2.0.0 and prior to versions 5.4.50, 6.4.29, and 7.3.7 contains an access control bypass vulnerability. The Request class improperly interprets some PATHINFO values, producing URL paths without a leading /. This allows bypassing access control rules that are buil...

Astra Linux - уязвимость в symfony

Symfony is a PHP framework for web and console applications, along with a set of reusable PHP components. Symfony’s HttpFoundation component defines an object-oriented layer for handling HTTP requests. Starting from version 2.0.0 and before versions 5.4.50, 6.4.29, and 7.3.7, the Request class...

Linux Distros Unpatched Vulnerability : CVE-2025-64500

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented...

CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly...

UBUNTU-CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly...

CVE-2025-64500

Affected component: Symfony HttpFoundation (Symfony PHP framework). Vulnerability: The Request class improperly interprets some PATH_INFO, allowing representation of URLs without a leading slash and potentially bypassing access-control rules that assume a leading “/”. Versions and root cause: Pri...

CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly...

CVE-2025-64500 Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly...

Incorrect Authorization

Overview symfony/http-foundation is a component defines an object-oriented layer for the HTTP specification. Affected versions of this package are vulnerable to Incorrect Authorization due to the Request class improperly interpreting some PATHINFO in a way that leads to representing some URLs wit...

PT-2025-46712

Name of the Vulnerable Software and Affected Versions Symfony versions 2.0.0 through 5.4.49 Symfony versions 6.0.0 through 6.4.28 Symfony versions 7.0.0 through 7.3.6 Description Symfony’s HttpFoundation component’s Request class incorrectly parses the PATH INFO value. This can result in URLs bei...

EUVD-2022-5068

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2018-14773

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through...

DEBIAN-CVE-2024-50345

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class...

PT-2024-34155 · Symfony +5 · Symfony Httpfoundation +5

Name of the Vulnerable Software and Affected Versions: symfony/http-foundation versions prior to 5.4.46 symfony/http-foundation versions prior to 6.4.14 symfony/http-foundation versions prior to 7.1.7 Description: The Request class in symfony/http-foundation does not parse URI with special...

Symfony has unsafe methods in the Request class

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as they are not maintain...

GHSA-P684-F7FH-JV2J Symfony has unsafe methods in the Request class

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as they are not maintain...

Symfony has a security issue when parsing the Authorization header

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore...

GHSA-H7V2-2QWG-H829 Symfony has a security issue when parsing the Authorization header

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore...

GHSA-V77V-X634-9M56 Symfony vulnerable to denial of service via a malicious HTTP Host header

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore...

PT-2024-10555 · Symfony · Symfony Httpfoundation

Name of the Vulnerable Software and Affected Versions: Symfony HttpFoundation component versions 2.0.X through 2.5.X Description: This issue allows for a Denial of Service DoS attack when an arbitrarily long hostname is sent by a client. The parsing of the hostname in the Request::getHost functio...