Symfony YAML CVE-2026-45305
LOW
GHSA-9frc-8383-795m
Lifecycle Timeline
2DescriptionNVD
Description
Symfony\Component\Yaml\Parser::cleanup() strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '#^%YAML[: ][\d.]+.*\n#u', whose [\d.]+ and .* overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized %YAML directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.
Resolution
The four regexes in Parser::cleanup() (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
AnalysisAI
Catastrophic backtracking in Symfony's YAML component (symfony/yaml) allows denial of service via crafted input to the Parser::cleanup() method. The four regexes responsible for stripping %YAML directive headers, leading comments, and document start/end markers contain overlapping quantifiers - notably [\d.]+ and .* both matching the dot character - enabling an attacker supplying a single oversized directive header or comment line to cause the PHP process to hang indefinitely. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today