Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN800 _____________________________________________________________________ DATE : 14/11/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running symfony/http-foundation (Composer), symfony/symfony (Composer) versions prior to 5.4.50, 6.4.29, 7.3.7, symfony/security-http (Composer) versions prior to 5.4.47, 6.4.15, 7.1.8. ===================================================================== https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr _____________________________________________________________________ Incorrect parsing of PATH_INFO can lead to limited authorization bypass High nicolas-grekas published GHSA-3rg7-wf37-54rm Nov 12, 2025 Package symfony/http-foundation (Composer) Affected versions <5.4.50 >=6, <6.4.29 >=7, <7.3.7 Patched versions 5.4.50 6.4.29 7.3.7 symfony/symfony (Composer) Affected versions <5.4.50 >=6, <6.4.29 >=7, <7.3.7 Patched versions 5.4.50 6.4.29 7.3.7 Description Description The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption. Resolution The Request class now ensures that URL paths always start with a /. The patch for this issue is available here for branch 5.4. Credits We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix. Severity High 7.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity Low Availability Low CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE ID CVE-2025-64500 Weaknesses Weakness CWE-647 Credits @cs278 cs278 Reporter @nicolas-grekas nicolas-grekas Remediation developer _____________________________________________________________________ Authentication Bypass via persisted RememberMe cookie High nicolas-grekas published GHSA-cg23-qf8f-62rr Nov 13, 2024 Package symfony/security-http (Composer) Affected versions >=5.3, <5.4.47 >=6, <6.4.15 >=7, <7.1.8 Patched versions 5.4.47 6.4.15 7.1.8 Description Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Resolution The PersistentRememberMeHandler class now ensures the submitted username is the cookie owner. The patch for this issue is available here for branch 5.4. Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2024-51996 Weaknesses No CWEs Credits @jderusse jderusse Remediation developer @m0xr4 m0xr4 Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================