Description Symfony routes can declare a requirements regex per path parameter, e.g. a route "/{_locale}/blog" with "requirements: { _locale: 'en|fr|de' }". The Twig "path()" / "url()" helpers (backed by "UrlGenerator") validate supplied parameter values against that regex before building the URL. UrlGenerator constructs the validation pattern as "'#^'.$req.'$#'", where "$req" is the raw requirement string. For a requirement expressed as an alternation, e.g. "_locale: 'ar|bg|...|vi|...|zh_CN'" (very common), "^" and "$" anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like "/evil.com" satisfies the requirement (because it contains "vi"), and the generated path becomes "//evil.com/...": a protocol-relative URL the browser navigates off-site. Resolution The "UrlGenerator" class now wraps the requirement in a non-capturing group so the "^" and "$" anchors apply to the whole alternation. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/bcf487c22f3240ba994124e0e0fe8616f3cfc47a) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.