Search
Find a vulnerability
Search criteria
4 vulnerabilities found for yaml by symfony
CVE-2026-45305 (GCVE-0-2026-45305)
Vulnerability from nvd – Published: 2026-07-14 18:50 – Updated: 2026-07-15 14:03
VLAI
EPSS
VEX
Title
Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Summary
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/symfony/symfony/security/advis… | x_refsource_CONFIRM |
| https://github.com/symfony/symfony/commit/9749cd4… | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v5.4.52 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v6.4.40 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v7.4.12 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v8.0.12 | x_refsource_MISC |
Impacted products
2 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:03:51.536649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:03:58.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "symfony",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
},
{
"product": "yaml",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T18:50:14.830Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
},
{
"name": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
}
],
"source": {
"advisory": "GHSA-9frc-8383-795m",
"discovery": "UNKNOWN"
},
"title": "Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45305",
"datePublished": "2026-07-14T18:50:14.830Z",
"dateReserved": "2026-05-11T20:14:43.202Z",
"dateUpdated": "2026-07-15T14:03:58.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45304 (GCVE-0-2026-45304)
Vulnerability from nvd – Published: 2026-07-14 18:48 – Updated: 2026-07-14 19:13
VLAI
EPSS
VEX
Title
Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
Summary
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/symfony/symfony/security/advis… | x_refsource_CONFIRM |
| https://github.com/symfony/symfony/commit/e77391b… | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v5.4.52 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v6.4.40 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v7.4.12 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v8.0.12 | x_refsource_MISC |
Impacted products
2 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T19:13:27.727393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:13:39.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "symfony",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
},
{
"product": "yaml",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T18:48:49.329Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4"
},
{
"name": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
}
],
"source": {
"advisory": "GHSA-4qpc-3hr4-r2p4",
"discovery": "UNKNOWN"
},
"title": "Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\"Billion Laughs\")"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45304",
"datePublished": "2026-07-14T18:48:49.329Z",
"dateReserved": "2026-05-11T20:14:43.202Z",
"dateUpdated": "2026-07-14T19:13:39.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45305 (GCVE-0-2026-45305)
Vulnerability from cvelistv5 – Published: 2026-07-14 18:50 – Updated: 2026-07-15 14:03
VLAI
EPSS
VEX
Title
Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Summary
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/symfony/symfony/security/advis… | x_refsource_CONFIRM |
| https://github.com/symfony/symfony/commit/9749cd4… | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v5.4.52 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v6.4.40 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v7.4.12 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v8.0.12 | x_refsource_MISC |
Impacted products
2 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:03:51.536649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:03:58.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "symfony",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
},
{
"product": "yaml",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T18:50:14.830Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
},
{
"name": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
}
],
"source": {
"advisory": "GHSA-9frc-8383-795m",
"discovery": "UNKNOWN"
},
"title": "Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45305",
"datePublished": "2026-07-14T18:50:14.830Z",
"dateReserved": "2026-05-11T20:14:43.202Z",
"dateUpdated": "2026-07-15T14:03:58.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45304 (GCVE-0-2026-45304)
Vulnerability from cvelistv5 – Published: 2026-07-14 18:48 – Updated: 2026-07-14 19:13
VLAI
EPSS
VEX
Title
Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
Summary
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/symfony/symfony/security/advis… | x_refsource_CONFIRM |
| https://github.com/symfony/symfony/commit/e77391b… | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v5.4.52 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v6.4.40 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v7.4.12 | x_refsource_MISC |
| https://github.com/symfony/symfony/releases/tag/v8.0.12 | x_refsource_MISC |
Impacted products
2 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T19:13:27.727393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:13:39.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "symfony",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
},
{
"product": "yaml",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.52"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
},
{
"status": "affected",
"version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T18:48:49.329Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4"
},
{
"name": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
},
{
"name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
}
],
"source": {
"advisory": "GHSA-4qpc-3hr4-r2p4",
"discovery": "UNKNOWN"
},
"title": "Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\"Billion Laughs\")"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45304",
"datePublished": "2026-07-14T18:48:49.329Z",
"dateReserved": "2026-05-11T20:14:43.202Z",
"dateUpdated": "2026-07-14T19:13:39.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}