Symfony LiveComponent CVE-2026-49209
LOWSeverity by source
Network-reachable _batch endpoint requires only a valid authenticated session (PR:L); trivial to craft; sole impact is availability exhaustion with no confidentiality or integrity effect.
Lifecycle Timeline
2DescriptionCVE.org
Description
Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.
Resolution
BatchActionController now enforces an upper bound of 50 actions per _batch request (MAX_ACTIONS_PER_BATCH) and rejects larger payloads up front with a BadRequestHttpException. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
AnalysisAI
Denial of service in symfony/ux-live-component's BatchActionController allows authenticated users to exhaust server CPU, memory, and database connections by submitting a single _batch HTTP request containing an unbounded number of actions. Each action in the client-supplied array triggers a full HttpKernel sub-request - including event subscribers, validators, Doctrine queries, and rendering - with no upper limit on array size. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session on the target application - the description explicitly states 'authenticated client,' meaning anonymous access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was published by NVD or the vendor at time of analysis, so numeric severity cannot be directly cited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user logs into a web application built on symfony/ux-live-component, inspects the network traffic to identify the _batch endpoint URL and request structure, then crafts a single POST request containing an array of thousands of action entries. The server begins issuing a full HttpKernel sub-request for each entry, rapidly consuming available PHP worker threads, application memory, and Doctrine database connections until the server becomes unresponsive to all other users. … |
| Remediation | Upgrade symfony/ux-live-component to version 2.36.0 (for 2.x consumers) or 3.1.0 (for 3.x consumers) via Composer: run 'composer update symfony/ux-live-component'. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today