CVE-2025-64500

ADVISORY - github

Summary

Description

The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption.

Resolution

The Request class now ensures that URL paths always start with a /.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.

EPSS Score⁠: 0.02482 (0.853)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-647⁠

Use of Non-Canonical URL Paths for Authorization Decisions

ADVISORY - github

CWE-647⁠

Use of Non-Canonical URL Paths for Authorization Decisions

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.