VulnerableCode Package Details - pkg:composer/symfony/http-foundation@5.4.46

Search for packages

Vulnerability	Summary	Fixed by
VCID-p1dw-w76f-gbfv Aliases: CVE-2025-64500 GHSA-3rg7-wf37-54rm	Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.	5.4.50 Affected by 0 other vulnerabilities. 6.4.29 Affected by 0 other vulnerabilities. 7.3.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-p1dw-w76f-gbfv
Aliases:
CVE-2025-64500
GHSA-3rg7-wf37-54rm

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.

5.4.50
Affected by 0 other vulnerabilities.

6.4.29
Affected by 0 other vulnerabilities.

7.3.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9bzz-84cq-ykh2	Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.	CVE-2024-50345 GHSA-mrqx-rp3w-jpjp

Vulnerability

Summary

Aliases

VCID-9bzz-84cq-ykh2

Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

CVE-2024-50345
GHSA-mrqx-rp3w-jpjp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T01:13:27.623208+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2025-64500.yml	38.3.0
2026-04-12T00:31:46.027180+00:00	GitLab Importer	Fixing	VCID-9bzz-84cq-ykh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml	38.3.0
2026-04-07T04:56:21.148061+00:00	GHSA Importer	Fixing	VCID-9bzz-84cq-ykh2	https://github.com/advisories/GHSA-mrqx-rp3w-jpjp	38.1.0
2026-04-03T01:22:24.834852+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2025-64500.yml	38.1.0
2026-04-03T00:39:29.031912+00:00	GitLab Importer	Fixing	VCID-9bzz-84cq-ykh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml	38.1.0
2026-04-02T12:40:20.490985+00:00	GitLab Importer	Fixing	VCID-9bzz-84cq-ykh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml	38.0.0
2026-04-01T12:51:08.364492+00:00	GithubOSV Importer	Fixing	VCID-9bzz-84cq-ykh2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-mrqx-rp3w-jpjp/GHSA-mrqx-rp3w-jpjp.json	38.0.0