Affected versions
Symfony versions <5.4.52, >=6, <6.4.40, >=7, <7.4.12, >=8, <8.0.12 of the Symfony Routing component are affected by this security issue.
The issue has been fixed in Symfony 5.4.52, 6.4.40, 7.4.12, 8.0.12.
Description
Symfony routes can declare a requirements regex per path parameter, e.g. a route /{_locale}/blog with requirements: { _locale: 'en|fr|de' }. The Twig path() / url() helpers (backed by UrlGenerator) validate supplied parameter values against that regex before building the URL.
UrlGenerator constructs the validation pattern as '#^'.$req.'$#', where $req is the raw requirement string. For a requirement expressed as an alternation, e.g. _locale: 'ar|bg|...|vi|...|zh_CN' (very common), ^ and $ anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like /evil.com satisfies the requirement (because it contains vi), and the generated path becomes //evil.com/...: a protocol-relative URL the browser navigates off-site.
Resolution
The UrlGenerator class now wraps the requirement in a non-capturing group so the ^ and $ anchors apply to the whole alternation.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.