CVE-2026-45304

Symfony · Symfony / Yaml

A vulnerability in the Symfony YAML component allows for XML entity expansion, which can lead to denial of service via resource exhaustion.

Executive summary

The Symfony framework contains a high-severity vulnerability that allows unauthenticated attackers to trigger resource exhaustion through improper restriction of recursive entity references.

Vulnerability

This is a CWE-776 XML Entity Expansion vulnerability where the application fails to properly restrict recursive entity references, allowing an unauthenticated remote attacker to consume system resources.

Business impact

Successful exploitation of this flaw can result in significant system downtime or service unavailability, as the recursive entity expansion can lead to excessive memory or CPU consumption. With a CVSS score of 8.7, this is classified as a high-severity risk that could disrupt critical business operations relying on Symfony-based infrastructure.

Remediation

Immediate Action: Upgrade to Symfony versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12 to incorporate the necessary security patches.

Proactive Monitoring: Monitor server logs and system resource metrics for sudden spikes in CPU or memory usage that correlate with incoming web requests.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block malformed or recursive XML-like payloads if an immediate patch cannot be applied.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the high CVSS score and the ease of exploitation, teams should prioritize patching their Symfony dependencies. Upgrading to the latest versions is the only definitive way to prevent potential denial of service attacks against your application infrastructure.