Search for vulnerabilities
Vulnerability details: VCID-tyxz-bxm5-puc2
Vulnerability ID VCID-tyxz-bxm5-puc2
Aliases CVE-2012-6431
GHSA-83c3-qx27-2rwr
Summary Symfony Allows URI Restrictions Bypass Via Double-Encoded String On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in. Both the Routing component and the Security component uses the path returned by `getPathInfo()` to match a Request. The `getPathInfo()` returns a decoded path, but the Routing component (`Symfony\Component\Routing\Matcher\UrlMatcher`) decodes the path a second time; whereas the Security component, `Symfony\Component\HttpFoundation\RequestMatcher`, does not. This difference causes Symfony 2.0 to be vulnerable to double encoding attacks.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-287 Improper Authentication
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-264 Permissions, Privileges, and Access Controls
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2012-6431
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2012-6431.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2012-6431.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2012-6431.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2012-6431.yaml
generic_textual MODERATE https://github.com/symfony/symfony/commit/55014a6841bec50046e8329a4835c160ac31a496
generic_textual MODERATE https://github.com/symfony/symfony/commit/8b2c17f80377582287a78e0b521497e039dd6b0d
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2012-6431
generic_textual MODERATE https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
generic_textual MODERATE http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2012-6431
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2012-6431.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2012-6431.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2012-6431.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2012-6431.yaml
https://github.com/symfony/symfony/commit/55014a6841bec50046e8329a4835c160ac31a496
https://github.com/symfony/symfony/commit/8b2c17f80377582287a78e0b521497e039dd6b0d
https://nvd.nist.gov/vuln/detail/CVE-2012-6431
https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.51499
EPSS Score 0.00285
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:28:21.186539+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-83c3-qx27-2rwr/GHSA-83c3-qx27-2rwr.json 36.1.3