Symfony YAML CVE-2026-45304
LOW
GHSA-4qpc-3hr4-r2p4
Lifecycle Timeline
2DescriptionNVD
Description
Symfony\Component\Yaml\Parser resolves YAML aliases (*anchor) during parsing. Aliases that reference *collections* (arrays, stdClass, TaggedValue-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML.
Resolution
The Parser now counts collection alias resolutions in a shared ParserState object, with a default limit of 128, following the SnakeYAML model. Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new $maxAliasesForCollections argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile(). A new Yaml::PARSE_EXCEPTION_ON_ALIAS flag also rejects all aliases outright when parsing fully untrusted input.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
AnalysisAI
Exponential memory exhaustion in Symfony's YAML parser (symfony/yaml) allows denial of service through crafted YAML documents exploiting the classic 'Billion Laughs' pattern. The Symfony\Component\Yaml\Parser resolves collection aliases (*anchor references to arrays, stdClass, or TaggedValue objects) recursively without any expansion limit, enabling a tiny input document to trigger multi-gigabyte in-memory structures at parse time. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today