Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Untrusted YAML is parsed remotely with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is memory-exhaustion DoS only, so C:N/I:N/A:H and scope unchanged.
Primary rating from Vendor (https://github.com/symfony/symfony).
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Description
Symfony\Component\Yaml\Parser resolves YAML aliases (*anchor) during parsing. Aliases that reference *collections* (arrays, stdClass, TaggedValue-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML.
Resolution
The Parser now counts collection alias resolutions in a shared ParserState object, with a default limit of 128, following the SnakeYAML model. Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new $maxAliasesForCollections argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile(). A new Yaml::PARSE_EXCEPTION_ON_ALIAS flag also rejects all aliases outright when parsing fully untrusted input.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
AnalysisAI
Uncontrolled memory consumption in the Symfony Yaml component lets remote attackers trigger a "Billion Laughs" denial-of-service by supplying crafted YAML in which collection aliases recursively reference other alias-bearing collections, expanding a tiny input into a multi-gigabyte structure that exhausts process memory. Affected versions include symfony/yaml and symfony/symfony < 5.4.52, 6.x < 6.4.40, and 7.x < 7.4.12 (with an 8.0.12 release also published). No public exploit identified at time of analysis and EPSS is low (0.08%), but the flaw is trivially reachable by any application parsing untrusted YAML with the affected component.
Technical ContextAI
The vulnerable code is Symfony\Component\Yaml\Parser, the pure-PHP YAML parser used across the Symfony ecosystem and many standalone PHP projects that depend on symfony/yaml. YAML supports anchors (&name) and aliases (*name) for referencing previously defined nodes. When an alias points to a collection (a PHP array, stdClass, or a TaggedValue-wrapped collection) and those collections in turn contain further aliases to other collections, resolution multiplies at each level, producing exponential (rather than linear) growth - the canonical XML/YAML entity-expansion attack. This maps to CWE-776 (Improper Restriction of Recursive Entity References, i.e. entity expansion), the same root-cause class as classic 'Billion Laughs' XML attacks. The fix introduces a shared ParserState that counts collection-alias resolutions and caps them at a default of 128 (mirroring SnakeYAML's LoaderOptions), leaves scalar aliases uncounted because they cannot drive exponential growth, and adds a Yaml::PARSE_EXCEPTION_ON_ALIAS flag to reject aliases entirely for fully untrusted input.
RemediationAI
Vendor-released patch: upgrade symfony/yaml (or symfony/symfony) to 5.4.52, 6.4.40, 7.4.12, or 8.0.12 depending on your branch (composer update symfony/yaml); the fix is commit e77391b2e4f18821198f010d573674c8ed4a970a. After upgrading, the parser enforces a default limit of 128 collection-alias resolutions, tunable via the new $maxAliasesForCollections argument on Parser::__construct(), Yaml::parse(), and Yaml::parseFile() - lower it for high-risk endpoints (trade-off: legitimate config files relying on many aliases may be rejected). For fully untrusted input, pass the new Yaml::PARSE_EXCEPTION_ON_ALIAS flag to reject all aliases outright (trade-off: any legitimate use of YAML anchors/aliases will fail). If you cannot upgrade immediately, avoid parsing attacker-controlled YAML, validate/limit input size before parsing, and run YAML parsing in a memory-capped worker so an expansion attempt kills only the worker rather than the host. See the advisory at https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4 and https://symfony.com/cve-2026-45304.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44358
GHSA-4qpc-3hr4-r2p4