CVE-2026-45304

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4

Description The SymfonyComponentYamlParser resolves YAML aliases during parsing. Aliases referencing collections, such as arrays, stdClass, or TaggedValue-wrapped collections, can point to other collections containing aliases. This creates exponential expansion during resolution, allowing a small input to expand into a multi-gigabyte structure and exhaust memory. This is a Billion Laughs denial-of-service attack, where a parser is overwhelmed by recursive entity expansion.

Recommendations Update to the patched version of branch 5.4. As a temporary mitigation, use the Yaml::PARSE EXCEPTION ON ALIAS flag to reject all aliases when parsing untrusted input. Restrict the number of collection alias resolutions by configuring the $maxAliasesForCollections argument in Parser:: construct(), Yaml::parse(), or Yaml::parseFile().