Skip to main content

Symfony Routing CVE-2026-45065

| EUVDEUVD-2026-44323 LOW
Incorrect Regular Expression (CWE-185)
2026-05-27 https://github.com/symfony/symfony GHSA-72xp-p242-47p9
2.3
CVSS 4.0 · Vendor: https://github.com/symfony/symfony

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 18:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
May 27, 2026 - 21:23 vuln.today
Analysis Generated
May 27, 2026 - 21:23 vuln.today

DescriptionCVE.org

Description

Symfony routes can declare a requirements regex per path parameter, e.g. a route /{_locale}/blog with requirements: { _locale: 'en|fr|de' }. The Twig path() / url() helpers (backed by UrlGenerator) validate supplied parameter values against that regex before building the URL.

UrlGenerator constructs the validation pattern as '#^'.$req.'$#', where $req is the raw requirement string. For a requirement expressed as an alternation, e.g. _locale: 'ar|bg|...|vi|...|zh_CN' (very common), ^ and $ anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like /evil.com satisfies the requirement (because it contains vi), and the generated path becomes //evil.com/...: a protocol-relative URL the browser navigates off-site.

Resolution

The UrlGenerator class now wraps the requirement in a non-capturing group so the ^ and $ anchors apply to the whole alternation.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

Protocol-relative URL injection in Symfony's UrlGenerator allows open redirect via regex alternation bypass in route parameter validation. When route requirements use alternation patterns (e.g., _locale: 'en|fr|vi|de'), the validation regex #^REQUIREMENT$# fails to anchor middle alternatives due to regex operator precedence, enabling substring matching against attacker-supplied values. An attacker who can influence route parameters fed into the Twig path()/url() helpers can inject a value like /evil.com - which satisfies the requirement by containing vi as a substring - causing UrlGenerator to produce //evil.com/..., a protocol-relative URL the browser navigates off-site. No public exploit is identified at time of analysis, and the vulnerability is not listed in CISA KEV; patches are released across all supported Symfony branches.

Technical ContextAI

The flaw resides in src/Symfony/Component/Routing/Generator/UrlGenerator.php within the doGenerate() method, specifically in the preg_match call that validates route parameter values against declared requirements. The root cause is CWE-185 (Incorrect Regular Expression): the validation pattern is constructed as #^REQUIREMENT$#, but PHP regex operator precedence means the alternation operator | binds more tightly than ^ and $ anchors. For a requirement like en|fr|vi|de, the compiled pattern is effectively (^en)|(fr)|(vi)|(de$) - only the first and last alternatives are anchored, while middle alternatives (fr, vi) match as unanchored substrings anywhere in the input. The fix, confirmed by the upstream patch commit, wraps the requirement in a non-capturing group: #^(?:REQUIREMENT)$#, ensuring anchors apply to the full alternation. The affected packages are composer/symfony/routing and composer/symfony/symfony across all active version branches.

RemediationAI

Upgrade the Symfony Routing component to the patched version for your branch: 5.4.52 for 5.4.x, 6.4.40 for 6.x, 7.4.12 for 7.x, or 8.0.12 for 8.x, as confirmed by the GHSA advisory at https://github.com/symfony/symfony/security/advisories/GHSA-72xp-p242-47p9 and the upstream patch commit at https://github.com/symfony/symfony/commit/bcf487c22f3240ba994124e0e0fe8616f3cfc47a. If an immediate framework upgrade is not feasible, a targeted compensating control is to audit all route definitions and explicitly group alternation requirements using a non-capturing group - replacing _locale: 'en|fr|vi|de' with _locale: '(?:en|fr|vi|de)' directly in route configuration files. This replicates the framework-level fix at the route definition layer and does not require a Symfony upgrade, though it demands manual review of every route using alternation requirements and will not protect against future route additions that omit the grouping. An additional defense-in-depth measure is to validate and allowlist route parameter inputs at the application boundary (e.g., in form handling or API controllers) before values reach UrlGenerator, reducing reliance on the regex validation layer entirely.

Share

CVE-2026-45065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy