Listen to this Post
The `Symfony\Component\Routing\Generator\UrlGenerator::doGenerate()` function tries to keep generated URLs safe by percent-encoding dot‑segments (. and ..) that appear in path parameters. This encoding is crucial because many RFC 3986‑compliant consumers—routers, reverse proxies, and HTTP clients—perform dot‑segment removal before percent‑decoding. If dot‑segments are left unescaped, the URL can be normalised to a completely different path than the original route.
Before the fix, the encoding was implemented with a `strtr($url, [‘/../’ => ‘/%2E%2E/’, ‘/./’ => ‘/%2E/’])` plus a trailing‑segment fixup. However, `strtr()` consumes the trailing slash of each match. Consequently, in a chain of multiple dot‑segments, every other segment is skipped and remains unescaped. For example:
| Input | Output (before fix) | Expected (fully escaped) |
|–|-||
| `/../../../` | `/%2E%2E/../%2E%2E/` | `/%2E%2E/%2E%2E/%2E%2E/` |
| `/foo/../../../bar` | `/foo/%2E%2E/../%2E%2E/bar` | `/foo/%2E%2E/%2E%2E/%2E%2E/bar` |
Because the escaping is incomplete, an attacker can craft chained `..` or `.` segments that survive the encoding step. When a route uses a permissive parameter constraint (such as `.+` or .) that accepts dots and slashes, the generated URL will contain unescaped `../` or `./` sequences. A strict RFC‑3986 consumer then collapses these sequences, leading to a different path than the route that originally generated the URL.
This flaw affects the Twig `path()` and `url()` helpers, as well as any server‑side use of UrlGenerator. It is the same class of route round‑trip integrity issue as CVE‑2026‑45065. Note: WHATWG‑conformant browsers already treat `%2E` and `%2E%2E` as dot‑segments during URL parsing, so the previous encoding never protected browser‑side traversal. The fix is intended for RFC‑3986‑compliant consumers.
The solution replaces the faulty `strtr()` with a single left‑to‑right `preg_replace_callback()` pass that uses a lookahead. This approach does not consume the trailing slash, so every adjacent dot‑segment is correctly encoded in one sweep. Patches are available for branches 5.4, 6.4, 7.4, 8.0 and 8.1.
DailyCVE Form:
Platform: Symfony
Version: <5.4.53, <6.4.41, <7.4.13, <8.0.13
Vulnerability : Improper Encoding
Severity: Medium
date: 27/05/2026
Prediction: 27/05/2026
What Undercode Say:
Check current Symfony version (example for composer-based project) composer show symfony/symfony | grep versions Quick test for vulnerable UrlGenerator behaviour (conceptual) curl -v "http://localhost/path?param=../../../etc/passwd" Verify patch by confirming the UrlGenerator uses preg_replace_callback grep -A5 "preg_replace_callback" vendor/symfony/routing/Generator/UrlGenerator.php
Exploit:
A remote attacker identifies a route that accepts a broad parameter (e.g. `.+` or .). They supply a value containing chained dot‑segments, such as ../../../admin. The `UrlGenerator` escapes only every other dot‑segment, producing a URL that still contains raw `../` sequences. A strict RFC‑3986 consumer (like a reverse proxy or internal router) normalises this to a different path, potentially bypassing access controls or redirecting the victim.
Protection:
Upgrade the `symfony/routing` or `symfony/symfony` package to the fixed versions:
– `5.4.53` or higher
– `6.4.41` or higher
– `7.4.13` or higher
– `8.0.13` or higher
composer update symfony/routing
Impact:
Successful exploitation can redirect a user to an arbitrary external site (open redirect) or cause the application to resolve an internal route incorrectly. This may lead to phishing attacks, information disclosure, or bypass of security controls.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
