Skip to main content

Symfony Yaml EUVDEUVD-2026-44359

| CVE-2026-45305 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-27 https://github.com/symfony/symfony GHSA-9frc-8383-795m
8.7
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, low-complexity, no auth or interaction when untrusted YAML is parsed; impact is availability-only (A:H) with no confidentiality or integrity effect and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 19:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 19:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 22:37 vuln.today
Analysis Generated
May 27, 2026 - 22:37 vuln.today

DescriptionCVE.org

Description

Symfony\Component\Yaml\Parser::cleanup() strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '#^%YAML[: ][\d.]+.*\n#u', whose [\d.]+ and .* overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized %YAML directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.

Resolution

The four regexes in Parser::cleanup() (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

AnalysisAI

Denial of service in the Symfony Yaml component (symfony/yaml and the monolithic symfony/symfony) allows remote attackers to hang the parser via catastrophic regular-expression backtracking in Parser::cleanup(). Supplying a YAML document with an oversized %YAML directive header, leading comment, or document-start/end marker forces the CPU to spin for an arbitrarily long time (CWE-1333), stalling any application that parses attacker-influenced YAML. No public weaponized exploit is identified, though the advisory and patch tests disclose the trigger payloads; EPSS is low at 0.08%, and the issue is not on CISA KEV.

Technical ContextAI

The affected code is Symfony's pure-PHP YAML parser. Before parsing, Parser::cleanup() strips optional preamble lines using four PCRE regexes. The flawed patterns - most notably '#^%YAML[: ][\d.]+.*\n#u' - mixed a greedy '[\d.]+' quantifier with a following '.*' that both match the '.' character, creating overlapping, ambiguous quantifiers. On a long crafted header the regex engine explores exponentially many backtracking paths (classic ReDoS / inefficient regular expression complexity, CWE-1333). The fix rewrites all four regexes with possessive quantifiers ('[\d.]++', '[^\n]*+') and unambiguous character classes so no backtracking is possible. CPE data confirms the impacted Composer packages pkg:composer/symfony_yaml and the aggregate pkg:composer/symfony_symfony.

RemediationAI

Vendor-released patch: upgrade to the fixed release for your branch - 5.4.52, 6.4.40, 7.4.12, or 8.0.12 - via 'composer update symfony/yaml' (or symfony/symfony). The corresponding release tags are published at https://github.com/symfony/symfony/releases/tag/v5.4.52, v6.4.40, v7.4.12, and v8.0.12, and the upstream fix commit is https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb. If an immediate upgrade is not possible, the effective compensating control is to avoid passing untrusted or externally controlled input to the YAML parser: validate and cap input size before calling Yaml::parse()/Parser::parse() (reject or truncate documents whose preamble lines exceed a small sane length, e.g. a few kilobytes), or place the parsing endpoint behind size limits and per-request CPU/time limits (set_time_limit, request timeout) so a single hung parse cannot exhaust workers. The trade-off is that strict size caps may reject legitimate large documents and CPU timeouts will abort in-progress requests, so tune thresholds to your data. Full advisory: https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m.

Share

EUVD-2026-44359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy