CVE-2025-64500

ADVISORY - github

Summary

Description

The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption.

Resolution

The Request class now ensures that URL paths always start with a /.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.

EPSS Score⁠: 0.02482 (0.853)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-647⁠

Use of Non-Canonical URL Paths for Authorization Decisions

ADVISORY - github

CWE-647⁠

Use of Non-Canonical URL Paths for Authorization Decisions

Impacted images

Advisories

NIST

CREATED

5 months ago

UPDATED

3 months ago

ADVISORY IDCVE-2025-64500⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-647⁠

CVSS SCORE

7.3high

GitHub

CREATED

5 months ago

UPDATED

5 months ago

ADVISORY IDGHSA-3rg7-wf37-54rm⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-647⁠

CVSS SCORE

7.3high

Debian

CREATED

5 months ago

UPDATED

3 days ago

ADVISORY IDCVE-2025-64500⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

5 months ago

UPDATED

3 months ago

ADVISORY IDCVE-2025-64500⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Chainguard

CREATED

3 months ago

UPDATED

3 months ago

ADVISORY ID

CGA-mmqg-729v-84wf

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY