CVE-2026-45305
Symfony · Symfony / Yaml
The Symfony YAML component is susceptible to inefficient regular expression complexity, which can be exploited by an unauthenticated attacker to cause a denial of service.
Executive summary
The Symfony framework is vulnerable to high-severity denial of service attacks resulting from regular expression complexity issues in its YAML parsing logic.
Vulnerability
This is a CWE-1333 Inefficient Regular Expression Complexity vulnerability, where specially crafted input can cause catastrophic backtracking, leading to high CPU usage by an unauthenticated attacker.
Business impact
This vulnerability poses a serious threat to application availability. A CVSS score of 8.7 indicates that the vulnerability is easy to exploit remotely without authentication, potentially allowing an attacker to render a web application unresponsive or cause significant performance degradation.
Remediation
Immediate Action: Update the Symfony YAML component to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12 to address the regex performance issues.
Proactive Monitoring: Review application performance monitoring logs for unexpected latency or CPU spikes occurring during the processing of user-provided YAML data.
Compensating Controls: Use a Web Application Firewall to filter or rate-limit requests that contain complex or unusually large YAML content.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Security teams must treat this vulnerability with high urgency. Patching the affected software versions is the most effective method to prevent potential service disruptions caused by malicious input.