Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Description
Symfony routes can declare a requirements regex per path parameter, e.g. a route /{_locale}/blog with requirements: { _locale: 'en|fr|de' }. The Twig path() / url() helpers (backed by UrlGenerator) validate supplied parameter values against that regex before building the URL.
UrlGenerator constructs the validation pattern as '#^'.$req.'$#', where $req is the raw requirement string. For a requirement expressed as an alternation, e.g. _locale: 'ar|bg|...|vi|...|zh_CN' (very common), ^ and $ anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like /evil.com satisfies the requirement (because it contains vi), and the generated path becomes //evil.com/...: a protocol-relative URL the browser navigates off-site.
Resolution
The UrlGenerator class now wraps the requirement in a non-capturing group so the ^ and $ anchors apply to the whole alternation.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
AnalysisAI
Protocol-relative URL injection in Symfony's UrlGenerator allows open redirect via regex alternation bypass in route parameter validation. When route requirements use alternation patterns (e.g., _locale: 'en|fr|vi|de'), the validation regex #^REQUIREMENT$# fails to anchor middle alternatives due to regex operator precedence, enabling substring matching against attacker-supplied values. An attacker who can influence route parameters fed into the Twig path()/url() helpers can inject a value like /evil.com - which satisfies the requirement by containing vi as a substring - causing UrlGenerator to produce //evil.com/..., a protocol-relative URL the browser navigates off-site. No public exploit is identified at time of analysis, and the vulnerability is not listed in CISA KEV; patches are released across all supported Symfony branches.
Technical ContextAI
The flaw resides in src/Symfony/Component/Routing/Generator/UrlGenerator.php within the doGenerate() method, specifically in the preg_match call that validates route parameter values against declared requirements. The root cause is CWE-185 (Incorrect Regular Expression): the validation pattern is constructed as #^REQUIREMENT$#, but PHP regex operator precedence means the alternation operator | binds more tightly than ^ and $ anchors. For a requirement like en|fr|vi|de, the compiled pattern is effectively (^en)|(fr)|(vi)|(de$) - only the first and last alternatives are anchored, while middle alternatives (fr, vi) match as unanchored substrings anywhere in the input. The fix, confirmed by the upstream patch commit, wraps the requirement in a non-capturing group: #^(?:REQUIREMENT)$#, ensuring anchors apply to the full alternation. The affected packages are composer/symfony/routing and composer/symfony/symfony across all active version branches.
RemediationAI
Upgrade the Symfony Routing component to the patched version for your branch: 5.4.52 for 5.4.x, 6.4.40 for 6.x, 7.4.12 for 7.x, or 8.0.12 for 8.x, as confirmed by the GHSA advisory at https://github.com/symfony/symfony/security/advisories/GHSA-72xp-p242-47p9 and the upstream patch commit at https://github.com/symfony/symfony/commit/bcf487c22f3240ba994124e0e0fe8616f3cfc47a. If an immediate framework upgrade is not feasible, a targeted compensating control is to audit all route definitions and explicitly group alternation requirements using a non-capturing group - replacing _locale: 'en|fr|vi|de' with _locale: '(?:en|fr|vi|de)' directly in route configuration files. This replicates the framework-level fix at the route definition layer and does not require a Symfony upgrade, though it demands manual review of every route using alternation requirements and will not protect against future route additions that omit the grouping. An additional defense-in-depth measure is to validate and allowlist route parameter inputs at the application boundary (e.g., in form handling or API controllers) before values reach UrlGenerator, reducing reliance on the regex validation layer entirely.
Same weakness CWE-185 – Incorrect Regular Expression
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44323
GHSA-72xp-p242-47p9