CVE-2026-45133

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.21

Description The SymfonyComponentYamlParser entry point for parsing YAML strings into PHP values via Yaml::parse() lacks a depth limit for recursion. When processing attacker-controlled input, deeply nested mappings or sequences cause the block-level Parser::parseBlock() and inline Inline::parseSequence() or Inline::parseMapping() parsers to recurse indefinitely. This leads to PHP stack exhaustion and crashes the worker process.

Recommendations Update to version 5.4.21 or later. As a temporary mitigation, restrict the use of Yaml::parse() and Yaml::parseFile() with untrusted user input.