Vulnerable Library - symfony/yaml-v8.0.1
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-45305
Vulnerable Library - symfony/yaml-v8.0.1
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Dependency Hierarchy:
- ❌ symfony/yaml-v8.0.1 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Yaml\Parser::cleanup()" strips the optional "%YAML" directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably "'#^%YAML[: ][\d.]+.\n#u'", whose "[\d.]+" and "." overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized "%YAML" directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service. Resolution The four regexes in "Parser::cleanup()" (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur. The patch for this issue is available "here" (symfony/symfony@9749cd4) for branch 5.4. Credits Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45305
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12
Step up your Open Source Security Game with Mend here
CVE-2026-45304
Vulnerable Library - symfony/yaml-v8.0.1
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Dependency Hierarchy:
- ❌ symfony/yaml-v8.0.1 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Yaml\Parser" resolves YAML aliases ("*anchor") during parsing. Aliases that reference collections (arrays, "stdClass", "TaggedValue"-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML. Resolution The "Parser" now counts collection alias resolutions in a shared "ParserState" object, with a default limit of 128, following the "SnakeYAML model" (https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/LoaderOptions.java). Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new "$maxAliasesForCollections" argument on "Parser::__construct()", "Yaml::parse()" and "Yaml::parseFile()". A new "Yaml::PARSE_EXCEPTION_ON_ALIAS" flag also rejects all aliases outright when parsing fully untrusted input. The patch for this issue is available "here" (symfony/symfony@e77391b) for branch 5.4. Credits Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45304
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v6.4.40
Step up your Open Source Security Game with Mend here
CVE-2026-45133
Vulnerable Library - symfony/yaml-v8.0.1
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Dependency Hierarchy:
- ❌ symfony/yaml-v8.0.1 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Yaml\Parser" is the entry point for parsing YAML strings into PHP values via "Yaml::parse()". When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level ("Parser::parseBlock()") and inline ("Inline::parseSequence()" / "Inline::parseMapping()") parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker. Resolution The "Parser" now tracks recursion depth in a shared "ParserState" object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new "$maxNestingLevel" argument on "Parser::__construct()", "Yaml::parse()" and "Yaml::parseFile()". The patch for this issue is available "here" (symfony/symfony@914f427) for branch 5.4. Credits Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45133
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v6.4.39,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.11,https://github.com/symfony/symfony.git - v8.0.11
Step up your Open Source Security Game with Mend here
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - symfony/yaml-v8.0.1
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Yaml\Parser::cleanup()" strips the optional "%YAML" directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably "'#^%YAML[: ][\d.]+.\n#u'", whose "[\d.]+" and "." overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized "%YAML" directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service. Resolution The four regexes in "Parser::cleanup()" (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur. The patch for this issue is available "here" (symfony/symfony@9749cd4) for branch 5.4. Credits Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45305
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/yaml-v8.0.1
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Yaml\Parser" resolves YAML aliases ("*anchor") during parsing. Aliases that reference collections (arrays, "stdClass", "TaggedValue"-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML. Resolution The "Parser" now counts collection alias resolutions in a shared "ParserState" object, with a default limit of 128, following the "SnakeYAML model" (https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/LoaderOptions.java). Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new "$maxAliasesForCollections" argument on "Parser::__construct()", "Yaml::parse()" and "Yaml::parseFile()". A new "Yaml::PARSE_EXCEPTION_ON_ALIAS" flag also rejects all aliases outright when parsing fully untrusted input. The patch for this issue is available "here" (symfony/symfony@e77391b) for branch 5.4. Credits Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45304
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v6.4.40
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/yaml-v8.0.1
Loads and dumps YAML files
Library home page: https://api.github.com/repos/symfony/yaml/zipball/7a1a90ba1df6e821a6b53c4cabdc32a56cabfb14
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Yaml\Parser" is the entry point for parsing YAML strings into PHP values via "Yaml::parse()". When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level ("Parser::parseBlock()") and inline ("Inline::parseSequence()" / "Inline::parseMapping()") parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker. Resolution The "Parser" now tracks recursion depth in a shared "ParserState" object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new "$maxNestingLevel" argument on "Parser::__construct()", "Yaml::parse()" and "Yaml::parseFile()". The patch for this issue is available "here" (symfony/symfony@914f427) for branch 5.4. Credits Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45133
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v6.4.39,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.11,https://github.com/symfony/symfony.git - v8.0.11
Step up your Open Source Security Game with Mend here