Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N) but requires the application to evaluate attacker-controlled JSONPath, a precondition mapped to AC:H; availability-only impact (A:H, C:N/I:N).
Primary rating from Vendor (https://github.com/symfony/symfony).
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Description
The JsonPath component's match() and search() filter functions compile a caller-supplied pattern straight into preg_match():
'match' => @preg_match(\sprintf('/^%s$/u', $this->transformJsonPathRegex($argList[1])), $value),
'search' => @preg_match("/{$this->transformJsonPathRegex($argList[1])}/u", $value),transformJsonPathRegex() only performs cosmetic escaping: there is no length cap, no restriction to the RFC 9485 i-regexp subset, and no bound on backtracking. An application that evaluates an attacker-influenced JSONPath expression server-side (e.g. one taken from a query parameter or API field and passed to JsonCrawler) can therefore be made to run a catastrophic-backtracking pattern such as $[?search(@, "(a+)+$")]. Evaluated against a moderately sized document, this pins a CPU core for seconds per request, so a handful of concurrent requests exhausts the worker pool: a denial of service. Because the preg_match() calls are prefixed with @, the PCRE backtrack-limit errors that would otherwise surface are suppressed, leaving no log trace.
Conditions for exploitation
An application that evaluates an attacker-influenced JSONPath expression containing a match() / search() filter against any non-trivial JSON input.
Resolution
JsonCrawler runs the preg_match() calls through a helper that lowers pcre.backtrack_limit to 10000 for the duration of the call (restoring the previous value afterwards), so a pathological pattern fails fast instead of stalling the worker.
The patch for this issue is available here for branch 7.4.
Credits
Symfony would like to thank Himanshu Anand for reporting the issue and Alexandre Daubois for providing the fix.
AnalysisAI
Denial of service in the Symfony JsonPath component (json-path 7.3.0-7.4.11 and 8.0.0-8.0.11) lets remote attackers exhaust CPU and worker capacity when an application evaluates attacker-influenced JSONPath expressions server-side. The match()/search() filter functions compile caller-supplied patterns directly into preg_match() with no length cap, i-regexp restriction, or backtracking bound, so a crafted pattern like $[?search(@, "(a+)+$")] triggers catastrophic backtracking that pins a core for seconds per request. There is no public exploit identified at time of analysis and EPSS is very low (0.08%), but the pathological pattern is disclosed in the advisory and the fix is available in 7.4.12 and 8.0.12.
Technical ContextAI
The affected technology is the Symfony JsonPath component (Composer packages symfony/json-path and the symfony/symfony monolith, per pkg:composer/symfony_json-path and pkg:composer/symfony_symfony CPEs), which implements RFC 9535 JSONPath querying via the JsonCrawler class. The root cause is CWE-400 (Uncontrolled Resource Consumption), manifesting here as regular-expression denial of service: transformJsonPathRegex() performs only cosmetic escaping and hands the resulting pattern straight to PCRE's preg_match() with the /u modifier, without limiting length, constraining input to the RFC 9485 i-regexp safe subset, or capping backtracking. PCRE's default pcre.backtrack_limit is high enough that nested-quantifier patterns (e.g. (a+)+) produce exponential backtracking against modestly sized subject strings. The @ error-suppression operator on both preg_match() calls further hides the PCRE backtrack-limit warning, so exhaustion leaves no log trace, complicating detection.
RemediationAI
Vendor-released patch: upgrade symfony/json-path (or symfony/symfony) to 7.4.12 on the 7.x line or 8.0.12 on the 8.x line, per releases https://github.com/symfony/symfony/releases/tag/v7.4.12 and https://github.com/symfony/symfony/releases/tag/v8.0.12 and commit https://github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14; the fix wraps the preg_match() calls in a safeRegexMatch() helper that lowers pcre.backtrack_limit to 10000 for the duration of the match and restores it afterward, so pathological patterns fail fast. If you cannot upgrade immediately, the highest-value compensating control is to stop evaluating attacker-influenced JSONPath: validate or allowlist JSONPath expressions before passing them to JsonCrawler, and specifically reject or strip match()/search() filter functions from untrusted input (trade-off: breaks legitimate use of those filters). As a process-wide mitigation you can set php.ini pcre.backtrack_limit to a low value such as 10000 to bound backtracking globally (trade-off: may cause legitimate large-input regex operations elsewhere in the application to fail), and place per-request CPU/time limits or a WAF rate limit in front of endpoints that accept JSONPath. Because the preg_match() calls are @-suppressed, add explicit monitoring for CPU-bound requests since PCRE errors will not surface in logs.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44340
GHSA-8v8v-g73j-492j