Skip to main content

Symfony LiveComponent CVE-2026-49209

LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-19 https://github.com/symfony/ux

Severity by source

vuln.today AI
6.5 MEDIUM

Network-reachable _batch endpoint requires only a valid authenticated session (PR:L); trivial to craft; sole impact is availability exhaustion with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:42 vuln.today
Analysis Generated
Jun 19, 2026 - 21:42 vuln.today

DescriptionCVE.org

Description

Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.

Resolution

BatchActionController now enforces an upper bound of 50 actions per _batch request (MAX_ACTIONS_PER_BATCH) and rejects larger payloads up front with a BadRequestHttpException. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Credits

Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

AnalysisAI

Denial of service in symfony/ux-live-component's BatchActionController allows authenticated users to exhaust server CPU, memory, and database connections by submitting a single _batch HTTP request containing an unbounded number of actions. Each action in the client-supplied array triggers a full HttpKernel sub-request - including event subscribers, validators, Doctrine queries, and rendering - with no upper limit on array size. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to target application
Delivery
Inspect _batch endpoint URL and request schema
Exploit
Craft POST request with thousands of action entries
Install
Submit single oversized _batch request
C2
Server spawns unbounded HttpKernel sub-requests per action
Execute
CPU, memory, and DB connections exhausted
Impact
Application unavailable to all users

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on the target application - the description explicitly states 'authenticated client,' meaning anonymous access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was published by NVD or the vendor at time of analysis, so numeric severity cannot be directly cited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user logs into a web application built on symfony/ux-live-component, inspects the network traffic to identify the _batch endpoint URL and request structure, then crafts a single POST request containing an array of thousands of action entries. The server begins issuing a full HttpKernel sub-request for each entry, rapidly consuming available PHP worker threads, application memory, and Doctrine database connections until the server becomes unresponsive to all other users. …
Remediation Upgrade symfony/ux-live-component to version 2.36.0 (for 2.x consumers) or 3.1.0 (for 3.x consumers) via Composer: run 'composer update symfony/ux-live-component'. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy