VulnerableCode Package Details - pkg:composer/symfony/symfony@7.1.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-p1dw-w76f-gbfv Aliases: CVE-2025-64500 GHSA-3rg7-wf37-54rm	Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.	7.3.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.4.0-BETA1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-p1dw-w76f-gbfv
Aliases:
CVE-2025-64500
GHSA-3rg7-wf37-54rm

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.

7.3.7
Affected by 1 other vulnerability.

7.4.0-BETA1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8kq8-2mv9-s3ad	Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.	CVE-2024-50342 GHSA-9c3x-r3wp-mgxm

Vulnerability

Summary

Aliases

VCID-8kq8-2mv9-s3ad

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

CVE-2024-50342
GHSA-9c3x-r3wp-mgxm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:51:49.505647+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2025-64500.yml	38.4.0
2026-04-12T01:13:25.194835+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2025-64500.yml	38.3.0
2026-04-07T04:56:20.826850+00:00	GHSA Importer	Fixing	VCID-8kq8-2mv9-s3ad	https://github.com/advisories/GHSA-9c3x-r3wp-mgxm	38.1.0
2026-04-03T01:22:22.360697+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2025-64500.yml	38.1.0
2026-04-02T12:40:21.104530+00:00	GitLab Importer	Fixing	VCID-8kq8-2mv9-s3ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50342.yml	38.0.0
2026-04-01T12:51:13.890753+00:00	GithubOSV Importer	Fixing	VCID-8kq8-2mv9-s3ad	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-9c3x-r3wp-mgxm/GHSA-9c3x-r3wp-mgxm.json	38.0.0