Skip to main content

Symfony Yaml EUVDEUVD-2026-44358

| CVE-2026-45304 HIGH
Improper Restriction of Recursive Entity References in DTDs (CWE-776)
2026-05-27 https://github.com/symfony/symfony GHSA-4qpc-3hr4-r2p4
8.7
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Untrusted YAML is parsed remotely with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is memory-exhaustion DoS only, so C:N/I:N/A:H and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 19:39 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 19:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 22:37 vuln.today
Analysis Generated
May 27, 2026 - 22:37 vuln.today

DescriptionCVE.org

Description

Symfony\Component\Yaml\Parser resolves YAML aliases (*anchor) during parsing. Aliases that reference *collections* (arrays, stdClass, TaggedValue-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML.

Resolution

The Parser now counts collection alias resolutions in a shared ParserState object, with a default limit of 128, following the SnakeYAML model. Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new $maxAliasesForCollections argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile(). A new Yaml::PARSE_EXCEPTION_ON_ALIAS flag also rejects all aliases outright when parsing fully untrusted input.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

AnalysisAI

Uncontrolled memory consumption in the Symfony Yaml component lets remote attackers trigger a "Billion Laughs" denial-of-service by supplying crafted YAML in which collection aliases recursively reference other alias-bearing collections, expanding a tiny input into a multi-gigabyte structure that exhausts process memory. Affected versions include symfony/yaml and symfony/symfony < 5.4.52, 6.x < 6.4.40, and 7.x < 7.4.12 (with an 8.0.12 release also published). No public exploit identified at time of analysis and EPSS is low (0.08%), but the flaw is trivially reachable by any application parsing untrusted YAML with the affected component.

Technical ContextAI

The vulnerable code is Symfony\Component\Yaml\Parser, the pure-PHP YAML parser used across the Symfony ecosystem and many standalone PHP projects that depend on symfony/yaml. YAML supports anchors (&name) and aliases (*name) for referencing previously defined nodes. When an alias points to a collection (a PHP array, stdClass, or a TaggedValue-wrapped collection) and those collections in turn contain further aliases to other collections, resolution multiplies at each level, producing exponential (rather than linear) growth - the canonical XML/YAML entity-expansion attack. This maps to CWE-776 (Improper Restriction of Recursive Entity References, i.e. entity expansion), the same root-cause class as classic 'Billion Laughs' XML attacks. The fix introduces a shared ParserState that counts collection-alias resolutions and caps them at a default of 128 (mirroring SnakeYAML's LoaderOptions), leaves scalar aliases uncounted because they cannot drive exponential growth, and adds a Yaml::PARSE_EXCEPTION_ON_ALIAS flag to reject aliases entirely for fully untrusted input.

RemediationAI

Vendor-released patch: upgrade symfony/yaml (or symfony/symfony) to 5.4.52, 6.4.40, 7.4.12, or 8.0.12 depending on your branch (composer update symfony/yaml); the fix is commit e77391b2e4f18821198f010d573674c8ed4a970a. After upgrading, the parser enforces a default limit of 128 collection-alias resolutions, tunable via the new $maxAliasesForCollections argument on Parser::__construct(), Yaml::parse(), and Yaml::parseFile() - lower it for high-risk endpoints (trade-off: legitimate config files relying on many aliases may be rejected). For fully untrusted input, pass the new Yaml::PARSE_EXCEPTION_ON_ALIAS flag to reject all aliases outright (trade-off: any legitimate use of YAML anchors/aliases will fail). If you cannot upgrade immediately, avoid parsing attacker-controlled YAML, validate/limit input size before parsing, and run YAML parsing in a memory-capped worker so an expansion attempt kills only the worker rather than the host. See the advisory at https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4 and https://symfony.com/cve-2026-45304.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-44358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy