CVE-2026-45305

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.31

Description The cleanup() function in SymfonyComponentYamlParser contains regular expressions with overlapping quantifiers, specifically in the pattern used to strip the %YAML directive header. This leads to catastrophic backtracking—a state where the regex engine takes an exponential amount of time to process a string—when processing specially crafted input. An oversized directive header, comment, or document-marker line can cause the parser to hang, resulting in a denial of service.

Recommendations Update to version 5.4.31 or later. As a temporary workaround, restrict the input provided to the cleanup() function to prevent the processing of oversized directive headers or comments.