PHP CVE-2026-45133
LOW
GHSA-c2p3-7m5p-cv8x
Lifecycle Timeline
2DescriptionNVD
Description
Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.
Resolution
The Parser now tracks recursion depth in a shared ParserState object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new $maxNestingLevel argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile().
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
AnalysisAI
Unbounded recursion in Symfony's YAML component (symfony/yaml) crashes PHP worker processes when parsing attacker-controlled documents containing deeply nested mappings or sequences. Both the block-level parser (Parser::parseBlock()) and inline parsers (Inline::parseSequence(), Inline::parseMapping()) recurse without a depth ceiling, allowing a single crafted YAML document to exhaust the PHP call stack and kill the worker. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today