Symfony HttpFoundation Component PATH_INFO Authorization Bypass Vulnerability

A vulnerability in the Symfony HttpFoundation component, affecting versions 2.0.0 through 5.4.0, as well as 6.0.0 through 6.4.0, and 7.0.0 through 7.3.0, allows for limited authorization bypass. The issue arises because the Request class incorrectly parses some PATH_INFO, leading to URLs that do not start with a '/'. This misinterpretation can bypass access control rules that assume a '/' prefix. The vulnerability has been patched in Symfony versions 5.4.50, 6.4.29, and 7.3.7.

Impact

Exploitation of this vulnerability can lead to unauthorized access by bypassing certain access control rules that rely on the presence of a '/' prefix in URL paths.

Reproduction

To reproduce this vulnerability, send a request to a Symfony application with a PATH_INFO that does not start with a '/'. This can be done by manipulating the request URI to remove the leading slash, which will cause the Request class to misinterpret the PATH_INFO and potentially bypass access control rules that depend on the correct parsing of the URL path.

Remediation

Users can update to Symfony versions 5.4.50, 6.4.29, or 7.3.7 to address this vulnerability.