DEBIAN-CVE-2025-64500

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-64500

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-64500.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-64500

Upstream

CVE-2025-64500

Published

2025-11-12T22:15:50.127Z

Modified

2025-11-17T04:50:03.394002Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the Request class now ensures that URL paths always start with a /.

References

https://security-tracker.debian.org/tracker/CVE-2025-64500

Affected packages

Debian:11 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.19+dfsg-2

4.4.19+dfsg-2+deb11u1

4.4.19+dfsg-2+deb11u2

4.4.19+dfsg-2+deb11u3

4.4.19+dfsg-2+deb11u4

4.4.19+dfsg-2+deb11u5

4.4.19+dfsg-2+deb11u6

4.4.19+dfsg-2+deb11u7

4.4.19+dfsg-3

5.*

5.0.0~beta2-1

5.0.2-1

5.0.4-1

5.2.1+dfsg-1

5.2.2+dfsg-1

5.2.3+dfsg-1

5.2.4+dfsg-1

5.2.5+dfsg-1

5.2.6+dfsg-1

5.3.9+dfsg-1

5.3.10+dfsg-1

5.3.12+dfsg-1

5.3.12+dfsg-2

5.4.0~beta1+dfsg-1

5.4.0~beta2+dfsg-1

5.4.0~beta3+dfsg-1

5.4.0~rc1+dfsg-1

5.4.0~rc1+dfsg-2

5.4.0~rc1+dfsg-3

5.4.0+dfsg-1

5.4.0+dfsg-2

5.4.1+dfsg-1

5.4.2+dfsg-1

5.4.2+dfsg-2

5.4.2+dfsg-3

5.4.4+dfsg-1

5.4.6+dfsg-1

5.4.8+dfsg-1

5.4.9+dfsg-1

5.4.9+dfsg-2

5.4.10+dfsg-1

5.4.11+dfsg-1

5.4.11+dfsg-2

5.4.12+dfsg-1

5.4.12+dfsg-2

5.4.13+dfsg-1

5.4.14+dfsg-1

5.4.15+dfsg-1

5.4.16+dfsg-1

5.4.18+dfsg-1

5.4.18+dfsg-2

5.4.18+dfsg-3

5.4.19+dfsg-1

5.4.20+dfsg-1

5.4.21+dfsg-1

5.4.22+dfsg-1

5.4.22+dfsg-2

5.4.22+dfsg-3

5.4.23+dfsg-1

5.4.24+dfsg-1

5.4.25+dfsg-1

5.4.27+dfsg-1

5.4.28+dfsg-1

5.4.29+dfsg-1

5.4.30+dfsg-1

5.4.31+dfsg-1

5.4.31+dfsg-2

5.4.32+dfsg-1

5.4.33+dfsg-1

5.4.34+dfsg-1

5.4.34+dfsg-2

5.4.35+dfsg-1

5.4.35+dfsg-2

5.4.35+dfsg-3

6.*

6.3.0~rc1+dfsg-1

6.3.0~rc2+dfsg-1

6.3.0+dfsg-1

6.3.1+dfsg-1

6.3.3+dfsg-1

6.3.4+dfsg-1

6.3.5+dfsg-1

6.3.6+dfsg-1

6.3.7+dfsg-1

6.4.0~beta2+dfsg-1

6.4.0~beta3+dfsg-1

6.4.0~rc1+dfsg-1

6.4.0~rc2+dfsg-1

6.4.0+dfsg-1

6.4.1+dfsg-1

6.4.2+dfsg-1

6.4.3+dfsg-1

6.4.4+dfsg-1

6.4.4+dfsg-2

6.4.4+dfsg-3

6.4.4+dfsg-4

6.4.5+dfsg-1

6.4.5+dfsg-2

6.4.5+dfsg-3

6.4.5+dfsg-4

6.4.6+dfsg-1

6.4.7+dfsg-1

6.4.9+dfsg-1

6.4.10+dfsg-1

6.4.11+dfsg-1

6.4.12+dfsg-1

6.4.13+dfsg-1

6.4.14+dfsg-1

6.4.15+dfsg-1

6.4.16+dfsg-1

6.4.16+dfsg-2

6.4.17+dfsg-1

6.4.17+dfsg-2

6.4.17+dfsg-3

6.4.17+dfsg-4

6.4.17+dfsg-5

6.4.17+dfsg-6

6.4.18+dfsg-1

6.4.19+dfsg-1

6.4.19+dfsg-2

6.4.20+dfsg-1

6.4.20+dfsg-2

6.4.21+dfsg-1

6.4.21+dfsg-2

6.4.24+dfsg-1

6.4.25+dfsg-1

7.*

7.0.4+dfsg-1

7.0.5+dfsg-1

7.0.6+dfsg-1

7.0.7+dfsg-1

7.1.0~beta1+dfsg-1

7.1.0~rc1+dfsg-1

7.1.2+dfsg-1

7.1.3+dfsg-1

7.1.4+dfsg-1

7.1.5+dfsg-1

7.2.0~beta1+dfsg-1

7.2.0~beta2+dfsg-1

7.2.0~rc1+dfsg-1

7.2.1+dfsg-1

7.2.2+dfsg-1

7.2.3+dfsg-1

7.2.4+dfsg-1

7.2.5+dfsg-1

7.2.6-1

7.3.0~beta1+dfsg-1

7.3.0~beta2+dfsg-1

7.3.0~rc1+dfsg-1

7.3.0+dfsg-1

7.3.1+dfsg-1

7.3.2+dfsg-1

7.3.3+dfsg-1

7.3.4+dfsg-1

7.3.5-1

7.4.0~beta1-1

7.4.0~beta1-2

7.4.0~beta2+dfsg-1

7.4.0~beta2+dfsg-2

7.4.0~beta2+dfsg-3

7.4.0~rc1+dfsg-1

8.*

8.0.0~beta2+dfsg-1

8.0.0~beta2+dfsg-2

8.0.0~rc1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.4.23+dfsg-1

5.4.23+dfsg-1+deb12u1

5.4.23+dfsg-1+deb12u2

5.4.23+dfsg-1+deb12u3

5.4.23+dfsg-1+deb12u4

5.4.24+dfsg-1

5.4.25+dfsg-1

5.4.27+dfsg-1

5.4.28+dfsg-1

5.4.29+dfsg-1

5.4.30+dfsg-1

5.4.31+dfsg-1

5.4.31+dfsg-2

5.4.32+dfsg-1

5.4.33+dfsg-1

5.4.34+dfsg-1

5.4.34+dfsg-2

5.4.35+dfsg-1

5.4.35+dfsg-2

5.4.35+dfsg-3

6.*

6.3.0~rc1+dfsg-1

6.3.0~rc2+dfsg-1

6.3.0+dfsg-1

6.3.1+dfsg-1

6.3.3+dfsg-1

6.3.4+dfsg-1

6.3.5+dfsg-1

6.3.6+dfsg-1

6.3.7+dfsg-1

6.4.0~beta2+dfsg-1

6.4.0~beta3+dfsg-1

6.4.0~rc1+dfsg-1

6.4.0~rc2+dfsg-1

6.4.0+dfsg-1

6.4.1+dfsg-1

6.4.2+dfsg-1

6.4.3+dfsg-1

6.4.4+dfsg-1

6.4.4+dfsg-2

6.4.4+dfsg-3

6.4.4+dfsg-4

6.4.5+dfsg-1

6.4.5+dfsg-2

6.4.5+dfsg-3

6.4.5+dfsg-4

6.4.6+dfsg-1

6.4.7+dfsg-1

6.4.9+dfsg-1

6.4.10+dfsg-1

6.4.11+dfsg-1

6.4.12+dfsg-1

6.4.13+dfsg-1

6.4.14+dfsg-1

6.4.15+dfsg-1

6.4.16+dfsg-1

6.4.16+dfsg-2

6.4.17+dfsg-1

6.4.17+dfsg-2

6.4.17+dfsg-3

6.4.17+dfsg-4

6.4.17+dfsg-5

6.4.17+dfsg-6

6.4.18+dfsg-1

6.4.19+dfsg-1

6.4.19+dfsg-2

6.4.20+dfsg-1

6.4.20+dfsg-2

6.4.21+dfsg-1

6.4.21+dfsg-2

6.4.24+dfsg-1

6.4.25+dfsg-1

7.*

7.0.4+dfsg-1

7.0.5+dfsg-1

7.0.6+dfsg-1

7.0.7+dfsg-1

7.1.0~beta1+dfsg-1

7.1.0~rc1+dfsg-1

7.1.2+dfsg-1

7.1.3+dfsg-1

7.1.4+dfsg-1

7.1.5+dfsg-1

7.2.0~beta1+dfsg-1

7.2.0~beta2+dfsg-1

7.2.0~rc1+dfsg-1

7.2.1+dfsg-1

7.2.2+dfsg-1

7.2.3+dfsg-1

7.2.4+dfsg-1

7.2.5+dfsg-1

7.2.6-1

7.3.0~beta1+dfsg-1

7.3.0~beta2+dfsg-1

7.3.0~rc1+dfsg-1

7.3.0+dfsg-1

7.3.1+dfsg-1

7.3.2+dfsg-1

7.3.3+dfsg-1

7.3.4+dfsg-1

7.3.5-1

7.4.0~beta1-1

7.4.0~beta1-2

7.4.0~beta2+dfsg-1

7.4.0~beta2+dfsg-2

7.4.0~beta2+dfsg-3

7.4.0~rc1+dfsg-1

8.*

8.0.0~beta2+dfsg-1

8.0.0~beta2+dfsg-2

8.0.0~rc1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.4.21+dfsg-2

6.4.24+dfsg-1

6.4.25+dfsg-1

7.*

7.0.4+dfsg-1

7.0.5+dfsg-1

7.0.6+dfsg-1

7.0.7+dfsg-1

7.1.0~beta1+dfsg-1

7.1.0~rc1+dfsg-1

7.1.2+dfsg-1

7.1.3+dfsg-1

7.1.4+dfsg-1

7.1.5+dfsg-1

7.2.0~beta1+dfsg-1

7.2.0~beta2+dfsg-1

7.2.0~rc1+dfsg-1

7.2.1+dfsg-1

7.2.2+dfsg-1

7.2.3+dfsg-1

7.2.4+dfsg-1

7.2.5+dfsg-1

7.2.6-1

7.3.0~beta1+dfsg-1

7.3.0~beta2+dfsg-1

7.3.0~rc1+dfsg-1

7.3.0+dfsg-1

7.3.1+dfsg-1

7.3.2+dfsg-1

7.3.3+dfsg-1

7.3.4+dfsg-1

7.3.5-1

7.4.0~beta1-1

7.4.0~beta1-2

7.4.0~beta2+dfsg-1

7.4.0~beta2+dfsg-2

7.4.0~beta2+dfsg-3

7.4.0~rc1+dfsg-1

8.*

8.0.0~beta2+dfsg-1

8.0.0~beta2+dfsg-2

8.0.0~rc1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.4.21+dfsg-2

6.4.24+dfsg-1

6.4.25+dfsg-1

7.*

7.0.4+dfsg-1

7.0.5+dfsg-1

7.0.6+dfsg-1

7.0.7+dfsg-1

7.1.0~beta1+dfsg-1

7.1.0~rc1+dfsg-1

7.1.2+dfsg-1

7.1.3+dfsg-1

7.1.4+dfsg-1

7.1.5+dfsg-1

7.2.0~beta1+dfsg-1

7.2.0~beta2+dfsg-1

7.2.0~rc1+dfsg-1

7.2.1+dfsg-1

7.2.2+dfsg-1

7.2.3+dfsg-1

7.2.4+dfsg-1

7.2.5+dfsg-1

7.2.6-1

7.3.0~beta1+dfsg-1

7.3.0~beta2+dfsg-1

7.3.0~rc1+dfsg-1

7.3.0+dfsg-1

7.3.1+dfsg-1

7.3.2+dfsg-1

7.3.3+dfsg-1

7.3.4+dfsg-1

7.3.5-1

7.4.0~beta1-1

7.4.0~beta1-2

7.4.0~beta2+dfsg-1

7.4.0~beta2+dfsg-2

7.4.0~beta2+dfsg-3

7.4.0~rc1+dfsg-1

8.*

8.0.0~beta2+dfsg-1

8.0.0~beta2+dfsg-2

8.0.0~rc1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}