CVE-2026-45065: Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
Symfony routes can declare a requirements regex per path parameter, e.g. a route /{_locale}/blog with requirements: { _locale: 'en|fr|de' }. The Twig path() / url() helpers (backed by UrlGenerator) validate supplied parameter values against that regex before building the URL.
UrlGenerator constructs the validation pattern as '#^'.$req.'$#', where $req is the raw requirement string. For a requirement expressed as an alternation, e.g. _locale: 'ar|bg|...|vi|...|zh_CN' (very common), ^ and $ anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like /evil.com satisfies the requirement (because it contains vi), and the generated path becomes //evil.com/...: a protocol-relative URL the browser navigates off-site.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2026-45065.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45065.yaml
- github.com/advisories/GHSA-72xp-p242-47p9
- github.com/symfony/symfony/commit/bcf487c22f3240ba994124e0e0fe8616f3cfc47a
- github.com/symfony/symfony/security/advisories/GHSA-72xp-p242-47p9
- nvd.nist.gov/vuln/detail/CVE-2026-45065
- symfony.com/cve-2026-45065
Code Behaviors & Features
Detect and mitigate CVE-2026-45065 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →