Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection

Description

Description

Symfony routes can declare a requirements regex per path parameter, e.g. a route /{_locale}/blog with requirements: { _locale: 'en|fr|de' }. The Twig path() / url() helpers (backed by UrlGenerator) validate supplied parameter values against that regex before building the URL.

UrlGenerator constructs the validation pattern as '#^'.$req.'$#', where $req is the raw requirement string. For a requirement expressed as an alternation, e.g. _locale: 'ar|bg|...|vi|...|zh_CN' (very common), ^ and $ anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like /evil.com satisfies the requirement (because it contains vi), and the generated path becomes //evil.com/...: a protocol-relative URL the browser navigates off-site.

Resolution

The UrlGenerator class now wraps the requirement in a non-capturing group so the ^ and $ anchors apply to the whole alternation.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-27 16:55:16 UTC
Updated
2026-05-27 16:55:18 UTC
GitHub reviewed
2026-05-27 16:55:16 UTC

EPSS Score

No EPSS score in this advisory JSON.

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-185 Incorrect Regular Expression
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Affected packages (8)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer symfony/routing < 5.4.52 5.4.52
composer symfony/routing >= 6.0.0, < 6.4.40 6.4.40
composer symfony/routing >= 7.0.0, < 7.4.12 7.4.12
composer symfony/routing >= 8.0.0, < 8.0.12 8.0.12
composer symfony/symfony < 5.4.52 5.4.52
composer symfony/symfony >= 6.0.0, < 6.4.40 6.4.40
composer symfony/symfony >= 7.0.0, < 7.4.12 7.4.12
composer symfony/symfony >= 8.0.0, < 8.0.12 8.0.12

References

cvelogic Threat Intelligence