Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/symfony/symfony@7.4.0-BETA1

Type composer

Namespace symfony

Name symfony

Version 7.4.0-BETA1

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 7.4.5

Latest_non_vulnerable_version 8.0.5

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-kgu6-gj5d-7bfx

vulnerability_id VCID-kgu6-gj5d-7bfx

summary

Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
### Summary
The Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters.

This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended.

### Impact
If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive.

The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration).

### Resolution
Upgrade to a Symfony release that includes the fix from symfony/symfony#63164 (which updates Windows argument escaping to ensure arguments containing = and other MSYS2-sensitive characters are properly quoted/escaped).
The patch for branch 5.4 is available at https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b

### Workarounds / Mitigations
Avoid running PHP/your tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables.
Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2.
Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-24739

reference_id

reference_type

scores

value	8e-05
scoring_system	epss
scoring_elements	0.00719
published_at	2026-04-02T12:55:00Z

value	8e-05
scoring_system	epss
scoring_elements	0.00716
published_at	2026-04-04T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00895
published_at	2026-04-13T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00894
published_at	2026-04-12T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00899
published_at	2026-04-11T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00911
published_at	2026-04-09T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00913
published_at	2026-04-08T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.0091
published_at	2026-04-07T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00892
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-24739

reference_url

https://github.com/symfony/symfony

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony

reference_url

https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/

url

https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3

reference_url

https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/

url

https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b

reference_url

https://github.com/symfony/symfony/issues/62921

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/

url

https://github.com/symfony/symfony/issues/62921

reference_url

https://github.com/symfony/symfony/pull/63164

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/

url

https://github.com/symfony/symfony/pull/63164

reference_url

https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/

url

https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-24739

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-24739

reference_url

https://github.com/advisories/GHSA-r39x-jcww-82v6

reference_id

GHSA-r39x-jcww-82v6

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r39x-jcww-82v6

fixed_packages

url	pkg:composer/symfony/symfony@5.4.51
purl	pkg:composer/symfony/symfony@5.4.51
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.51

url	pkg:composer/symfony/symfony@6.0.0-BETA1
purl	pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1

url	pkg:composer/symfony/symfony@6.4.33
purl	pkg:composer/symfony/symfony@6.4.33
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.33

url	pkg:composer/symfony/symfony@7.0.0-BETA1
purl	pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1

url	pkg:composer/symfony/symfony@7.3.11
purl	pkg:composer/symfony/symfony@7.3.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.3.11

url	pkg:composer/symfony/symfony@7.4.0-BETA1
purl	pkg:composer/symfony/symfony@7.4.0-BETA1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.0-BETA1

url	pkg:composer/symfony/symfony@7.4.5
purl	pkg:composer/symfony/symfony@7.4.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.5

url	pkg:composer/symfony/symfony@8.0.0-BETA1
purl	pkg:composer/symfony/symfony@8.0.0-BETA1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@8.0.0-BETA1

url	pkg:composer/symfony/symfony@8.0.5
purl	pkg:composer/symfony/symfony@8.0.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@8.0.5

aliases CVE-2026-24739, GHSA-r39x-jcww-82v6

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kgu6-gj5d-7bfx

url VCID-p1dw-w76f-gbfv

vulnerability_id VCID-p1dw-w76f-gbfv

summary

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64500

reference_id

reference_type

scores

value	0.00047
scoring_system	epss
scoring_elements	0.14662
published_at	2026-04-02T12:55:00Z

value	0.01842
scoring_system	epss
scoring_elements	0.82999
published_at	2026-04-16T12:55:00Z

value	0.0197
scoring_system	epss
scoring_elements	0.83544
published_at	2026-04-11T12:55:00Z

value	0.0197
scoring_system	epss
scoring_elements	0.83538
published_at	2026-04-12T12:55:00Z

value	0.02482
scoring_system	epss
scoring_elements	0.85295
published_at	2026-04-13T12:55:00Z

value	0.03928
scoring_system	epss
scoring_elements	0.88321
published_at	2026-04-09T12:55:00Z

value	0.03928
scoring_system	epss
scoring_elements	0.88316
published_at	2026-04-08T12:55:00Z

value	0.03928
scoring_system	epss
scoring_elements	0.88296
published_at	2026-04-07T12:55:00Z

value	0.03928
scoring_system	epss
scoring_elements	0.88291
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64500

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500

reference_url

https://github.com/symfony/symfony

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony

reference_url

https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/

url

https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-64500

reference_id

CVE-2025-64500

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-64500

reference_url

https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

reference_id

CVE-2025-64500-INCORRECT-PARSING-OF-PATH-INFO-CAN-LEAD-TO-LIMITED-AUTHORIZATION-BYPASS

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/

url

https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml

reference_id

CVE-2025-64500.YAML

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml

reference_id

CVE-2025-64500.YAML

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml

reference_url

https://github.com/advisories/GHSA-3rg7-wf37-54rm

reference_id

GHSA-3rg7-wf37-54rm

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3rg7-wf37-54rm

reference_url

https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm

reference_id

GHSA-3rg7-wf37-54rm

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/

url

https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm

fixed_packages

url pkg:composer/symfony/symfony@5.4.50

purl pkg:composer/symfony/symfony@5.4.50

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kgu6-gj5d-7bfx

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.50

url	pkg:composer/symfony/symfony@6.0.0-BETA1
purl	pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1

url pkg:composer/symfony/symfony@6.4.29

purl pkg:composer/symfony/symfony@6.4.29

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kgu6-gj5d-7bfx

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.29

url	pkg:composer/symfony/symfony@7.0.0-BETA1
purl	pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1

url pkg:composer/symfony/symfony@7.3.7

purl pkg:composer/symfony/symfony@7.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kgu6-gj5d-7bfx

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.3.7

url	pkg:composer/symfony/symfony@7.4.0-BETA1
purl	pkg:composer/symfony/symfony@7.4.0-BETA1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.0-BETA1

aliases CVE-2025-64500, GHSA-3rg7-wf37-54rm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p1dw-w76f-gbfv

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.0-BETA1

Package Instance