Name of the Vulnerable Software and Affected Versions: Symfony versions prior to the latest version

Description: The issue concerns XML Entity Expansion (XEE) attacks, which can lead to Denial Of Service attacks against a host's RAM. This is due to the lack of a method to disable custom entities in PHP, allowing an attacker to define a long entity and refer to it multiple times in document elements, creating a memory sink. The use of certain options, such as LIBXML NOENT, can amplify the impact. The vulnerability can be exploited using a Quadratic Blowup Attack, where a long entity is defined and then referred to multiple times in the XML document.

Recommendations: For Symfony versions prior to the latest version, consider applying the provided patch to mitigate the issue. As a temporary workaround, consider disabling the use of custom entities in XML documents until a patch is available. Restrict access to the vulnerable XML parsing functionality to minimize the risk of exploitation. Avoid using the LIBXML NOENT option, as it can amplify the impact of the vulnerability. Consider using the libxml disable entity loader(TRUE) function to disable external entity loading, and optionally, the LIBXML NONET option to prevent local filesystem access.