Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for yaml by symfony

    CVE-2026-45305 (GCVE-0-2026-45305)

    Vulnerability from nvd – Published: 2026-07-14 18:50 – Updated: 2026-07-15 14:03
    VLAI
    Title
    Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony yaml Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45305",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:03:51.536649Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:03:58.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "yaml",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:50:14.830Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-9frc-8383-795m",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45305",
        "datePublished": "2026-07-14T18:50:14.830Z",
        "dateReserved": "2026-05-11T20:14:43.202Z",
        "dateUpdated": "2026-07-15T14:03:58.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45304 (GCVE-0-2026-45304)

    Vulnerability from nvd – Published: 2026-07-14 18:48 – Updated: 2026-07-14 19:13
    VLAI
    Title
    Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony yaml Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45304",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T19:13:27.727393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T19:13:39.323Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "yaml",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-776",
                  "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:48:49.329Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-4qpc-3hr4-r2p4",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\"Billion Laughs\")"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45304",
        "datePublished": "2026-07-14T18:48:49.329Z",
        "dateReserved": "2026-05-11T20:14:43.202Z",
        "dateUpdated": "2026-07-14T19:13:39.323Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45305 (GCVE-0-2026-45305)

    Vulnerability from cvelistv5 – Published: 2026-07-14 18:50 – Updated: 2026-07-15 14:03
    VLAI
    Title
    Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony yaml Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45305",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:03:51.536649Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:03:58.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "yaml",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:50:14.830Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-9frc-8383-795m",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45305",
        "datePublished": "2026-07-14T18:50:14.830Z",
        "dateReserved": "2026-05-11T20:14:43.202Z",
        "dateUpdated": "2026-07-15T14:03:58.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45304 (GCVE-0-2026-45304)

    Vulnerability from cvelistv5 – Published: 2026-07-14 18:48 – Updated: 2026-07-14 19:13
    VLAI
    Title
    Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony yaml Affected: < 5.4.52
    Affected: >= 6.0.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45304",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T19:13:27.727393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T19:13:39.323Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "yaml",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.52"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\\Component\\Yaml\\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-776",
                  "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:48:49.329Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v5.4.52",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v5.4.52"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-4qpc-3hr4-r2p4",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\"Billion Laughs\")"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45304",
        "datePublished": "2026-07-14T18:48:49.329Z",
        "dateReserved": "2026-05-11T20:14:43.202Z",
        "dateUpdated": "2026-07-14T19:13:39.323Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }