Symfony version(s) affected: all as far as I can tell

Description

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1

userinfo = *( unreserved / pct-encoded / sub-delims / ":" )

The : character is specifically mentioned as something that can occur any number of times.

The change in symfony/validator@adab212 didn't change the handling of this. It seems this regexp attempts to implement https://datatracker.ietf.org/doc/html/rfc2617#section-2 but that one had

  userid      = *<TEXT excluding ":">
  password    = *TEXT

where the userid was mentioned to exclude the colon but password got no such mentions and so the it could contain colons even in the older RFC.