Name of the Vulnerable Software and Affected Versions: Symfony versions prior to the latest version

Description: The issue concerns XML Entity Expansion (XEE) attacks, which can lead to Denial Of Service attacks against a host's RAM. This is due to the lack of a method to disable custom entities in PHP, allowing for Quadratic Blowup Attacks. The use of certain options like LIBXML NOENT can amplify the impact, and libxml2's defense against related Exponential or Billion Laugh's XEE attacks is only active when the LIBXML PARSEHUGE option is not set. An example of a non-fatal XEE attack is provided, demonstrating how a long entity can be defined and referred to multiple times in document elements, creating a memory sink.

Recommendations: For Symfony versions prior to the latest version, consider applying the provided patch to mitigate the issue. As a temporary workaround, consider disabling the use of custom entities in XML documents until a patch is available. Restrict access to the vulnerable XML parsing functionality to minimize the risk of exploitation. Avoid using the LIBXML NOENT option, as it can amplify the impact of the attack. Consider using the libxml disable entity loader(TRUE) function and the LIBXML NONET option to defend against XXE attacks.