关键漏洞信息 漏洞标题: Incorrect parsing of PATH_INFO can lead to limited authorization bypass CVE ID: CVE-2025-64500 CVSS Score: 7.3 / 10 (High) CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: Low - Availability: Low 受影响的版本: - : - Affected versions: =6, =7, =6, =7, <7.3.7 - Patched versions: 5.4.50, 6.4.29, 7.3.7 描述: - The class improperly interprets some in a way that leads to representing some URLs with a path that doesn't start with a . This can allow bypassing some access control rules that are built with this -prefix assumption. 解决方法: - The class now ensures that URL paths always start with a . - The patch for this issue is available here for branch 5.4. 致谢: - Andrew Atkinson for discovering the issue. - Chris Smith for reporting it. - Nicolas Grekas for providing the fix.