Skip to content

Fixes CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization#18193

Merged
snipe merged 1 commit intogrokability:developfrom
ubc-cpsc:bugfix/CVE-2025-64500
Nov 13, 2025
Merged

Fixes CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization#18193
snipe merged 1 commit intogrokability:developfrom
ubc-cpsc:bugfix/CVE-2025-64500

Conversation

@joelpittet
Copy link
Copy Markdown
Contributor

@joelpittet joelpittet commented Nov 13, 2025 

~/Contrib/snipe-it develop                                                                                                          18:06:11
❯ composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/http-foundation                                                          |
| Severity          | high                                                                             |
| CVE               | CVE-2025-64500                                                                   |
| Title             | CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization |
|                   | bypass                                                                           |
| URL               | https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead- |
|                   | to-limited-authorization-bypass                                                  |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
|                   | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
|                   | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
|                   | 0|>=7.3.0,<7.3.7                                                                 |
| Reported at       | 2025-11-12T11:09:14+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+------------------------+----------------------------------------------------------------------------------+
| Abandoned Package      | Suggested Replacement                                                            |
+------------------------+----------------------------------------------------------------------------------+
| laravelcollective/html | spatie/laravel-html                                                              |
+------------------------+----------------------------------------------------------------------------------+

@joelpittet joelpittet requested a review from snipe as a code owner November 13, 2025 02:11
@snipe snipe merged commit d2ab307 into grokability:develop Nov 13, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snipe snipe Awaiting requested review from snipe snipe is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joelpittet @snipe