CVE-2026-45305

Symfony · Symfony / Yaml

The Symfony YAML component is susceptible to inefficient regular expression complexity, which can be exploited by an unauthenticated attacker to cause a denial of service.

Executive summary

The Symfony framework is vulnerable to high-severity denial of service attacks resulting from regular expression complexity issues in its YAML parsing logic.

Vulnerability

This is a CWE-1333 Inefficient Regular Expression Complexity vulnerability, where specially crafted input can cause catastrophic backtracking, leading to high CPU usage by an unauthenticated attacker.

Business impact

This vulnerability poses a serious threat to application availability. A CVSS score of 8.7 indicates that the vulnerability is easy to exploit remotely without authentication, potentially allowing an attacker to render a web application unresponsive or cause significant performance degradation.

Remediation

Immediate Action: Update the Symfony YAML component to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12 to address the regex performance issues.

Proactive Monitoring: Review application performance monitoring logs for unexpected latency or CPU spikes occurring during the processing of user-provided YAML data.

Compensating Controls: Use a Web Application Firewall to filter or rate-limit requests that contain complex or unusually large YAML content.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Security teams must treat this vulnerability with high urgency. Patching the affected software versions is the most effective method to prevent potential service disruptions caused by malicious input.