CVE-2026-45756

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 7.4

Description The JsonPath component contains an issue where the match() and search() filter functions compile caller-supplied patterns directly into preg match() without sufficient restrictions on length or backtracking. An application that evaluates attacker-influenced JSONPath expressions server-side can be subjected to catastrophic backtracking, a condition where a complex regular expression takes an exponential amount of time to process, leading to CPU exhaustion and a denial of service. Because these calls are suppressed, errors do not appear in logs.

Recommendations Update to version 7.4 or later. As a temporary workaround, restrict the use of attacker-influenced input in JSONPath expressions, specifically avoiding the match() and search() filter functions.