Skip to main content

Symfony JsonPath CVE-2026-45756

| EUVDEUVD-2026-44340 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 https://github.com/symfony/symfony GHSA-8v8v-g73j-492j
8.2
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N) but requires the application to evaluate attacker-controlled JSONPath, a precondition mapped to AC:H; availability-only impact (A:H, C:N/I:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 18:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 18:22 NVD
8.2 (HIGH)
Source Code Evidence Fetched
May 28, 2026 - 18:01 vuln.today
Analysis Generated
May 28, 2026 - 18:01 vuln.today

DescriptionCVE.org

Description

The JsonPath component's match() and search() filter functions compile a caller-supplied pattern straight into preg_match():

php
'match'  => @preg_match(\sprintf('/^%s$/u', $this->transformJsonPathRegex($argList[1])), $value),
'search' => @preg_match("/{$this->transformJsonPathRegex($argList[1])}/u", $value),

transformJsonPathRegex() only performs cosmetic escaping: there is no length cap, no restriction to the RFC 9485 i-regexp subset, and no bound on backtracking. An application that evaluates an attacker-influenced JSONPath expression server-side (e.g. one taken from a query parameter or API field and passed to JsonCrawler) can therefore be made to run a catastrophic-backtracking pattern such as $[?search(@, "(a+)+$")]. Evaluated against a moderately sized document, this pins a CPU core for seconds per request, so a handful of concurrent requests exhausts the worker pool: a denial of service. Because the preg_match() calls are prefixed with @, the PCRE backtrack-limit errors that would otherwise surface are suppressed, leaving no log trace.

Conditions for exploitation

An application that evaluates an attacker-influenced JSONPath expression containing a match() / search() filter against any non-trivial JSON input.

Resolution

JsonCrawler runs the preg_match() calls through a helper that lowers pcre.backtrack_limit to 10000 for the duration of the call (restoring the previous value afterwards), so a pathological pattern fails fast instead of stalling the worker.

The patch for this issue is available here for branch 7.4.

Credits

Symfony would like to thank Himanshu Anand for reporting the issue and Alexandre Daubois for providing the fix.

AnalysisAI

Denial of service in the Symfony JsonPath component (json-path 7.3.0-7.4.11 and 8.0.0-8.0.11) lets remote attackers exhaust CPU and worker capacity when an application evaluates attacker-influenced JSONPath expressions server-side. The match()/search() filter functions compile caller-supplied patterns directly into preg_match() with no length cap, i-regexp restriction, or backtracking bound, so a crafted pattern like $[?search(@, "(a+)+$")] triggers catastrophic backtracking that pins a core for seconds per request. There is no public exploit identified at time of analysis and EPSS is very low (0.08%), but the pathological pattern is disclosed in the advisory and the fix is available in 7.4.12 and 8.0.12.

Technical ContextAI

The affected technology is the Symfony JsonPath component (Composer packages symfony/json-path and the symfony/symfony monolith, per pkg:composer/symfony_json-path and pkg:composer/symfony_symfony CPEs), which implements RFC 9535 JSONPath querying via the JsonCrawler class. The root cause is CWE-400 (Uncontrolled Resource Consumption), manifesting here as regular-expression denial of service: transformJsonPathRegex() performs only cosmetic escaping and hands the resulting pattern straight to PCRE's preg_match() with the /u modifier, without limiting length, constraining input to the RFC 9485 i-regexp safe subset, or capping backtracking. PCRE's default pcre.backtrack_limit is high enough that nested-quantifier patterns (e.g. (a+)+) produce exponential backtracking against modestly sized subject strings. The @ error-suppression operator on both preg_match() calls further hides the PCRE backtrack-limit warning, so exhaustion leaves no log trace, complicating detection.

RemediationAI

Vendor-released patch: upgrade symfony/json-path (or symfony/symfony) to 7.4.12 on the 7.x line or 8.0.12 on the 8.x line, per releases https://github.com/symfony/symfony/releases/tag/v7.4.12 and https://github.com/symfony/symfony/releases/tag/v8.0.12 and commit https://github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14; the fix wraps the preg_match() calls in a safeRegexMatch() helper that lowers pcre.backtrack_limit to 10000 for the duration of the match and restores it afterward, so pathological patterns fail fast. If you cannot upgrade immediately, the highest-value compensating control is to stop evaluating attacker-influenced JSONPath: validate or allowlist JSONPath expressions before passing them to JsonCrawler, and specifically reject or strip match()/search() filter functions from untrusted input (trade-off: breaks legitimate use of those filters). As a process-wide mitigation you can set php.ini pcre.backtrack_limit to a low value such as 10000 to bound backtracking globally (trade-off: may cause legitimate large-input regex operations elsewhere in the application to fail), and place per-request CPU/time limits or a WAF rate limit in front of endpoints that accept JSONPath. Because the preg_match() calls are @-suppressed, add explicit monitoring for CPU-bound requests since PCRE errors will not surface in logs.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-45756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy