CVE-2026-45305

Summary

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.

Affected Software

VendorProductVersion RangeStatus
symfonysymfony< 5.4.52affected
symfonysymfony>= 6.0.0-BETA1, < 6.4.40affected
symfonysymfony>= 7.0.0-BETA1, < 7.4.12affected
symfonysymfony>= 8.0.0-BETA1, < 8.0.12affected
symfonyyaml< 5.4.52affected
symfonyyaml>= 6.0.0-BETA1, < 6.4.40affected
symfonyyaml>= 7.0.0-BETA1, < 7.4.12affected
symfonyyaml>= 8.0.0-BETA1, < 8.0.12affected

Weaknesses

  • CWE-1333: CWE-1333: Inefficient Regular Expression Complexity

References