Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10959

symfony/routing is vulnerable to Open Redirect

Open RedirectCVE-2026-48784 Published Yesterday

61

Medium Risk

This Affects:

PHPsymfony/routing
0.0.1 - 5.4.52
Fixed in 5.4.53
6.0.0 - 6.4.40
Fixed in 6.4.41
7.0.0 - 7.4.12
Fixed in 7.4.13
8.0.0 - 8.0.12
Fixed in 8.0.13
Are you affected? Scan for Free

TL;DR

The UrlGenerator percent-encodes . and .. path segments so generated URLs remain on the originating route after RFC 3986 dot-segment normalization. The pre-fix strtr() logic skipped every other chained ./ or ../ segment, leaving some dot-segments unescaped. When a route parameter uses a permissive requirement such as .+ or .*, attacker-controlled chained dot segments can produce a URL that strict RFC-3986 consumers normalize to a different path than the route that generated it. The fix encodes every dot-segment in a single left-to-right pass.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

symfony/routing is vulnerable to Open Redirect in versions 0.0.1 - 5.4.52, 6.0.0 - 6.4.40, 7.0.0 - 7.4.12 and 8.0.0 - 8.0.12.

How to fix this

Upgrade the symfony/routing and/or the symfony/symfony library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done