Update dependency symfony/yaml to v6.4.40 [SECURITY] by renovate[bot] · Pull Request #9 · Norwik/Reptile

renovate · 2026-05-29T03:49:07Z

This PR contains the following updates:

Package	Change	Age	Confidence
symfony/yaml (source)	`6.4.8` → `6.4.40`

Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")

CVE-2026-45304 / GHSA-4qpc-3hr4-r2p4

More information

Details

Description

Symfony\Component\Yaml\Parser resolves YAML aliases (*anchor) during parsing. Aliases that reference collections (arrays, stdClass, TaggedValue-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML.

Resolution

The Parser now counts collection alias resolutions in a shared ParserState object, with a default limit of 128, following the SnakeYAML model. Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new $maxAliasesForCollections argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile(). A new Yaml::PARSE_EXCEPTION_ON_ALIAS flag also rejects all aliases outright when parsing fully untrusted input.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

Severity

CVSS Score: 2.7 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Symfony hardened the parser when handling untrusted input

CVE-2026-45133 / GHSA-c2p3-7m5p-cv8x

More information

Details

Description

Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.

Resolution

The Parser now tracks recursion depth in a shared ParserState object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new $maxNestingLevel argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile().

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

Severity

CVSS Score: 2.7 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

CVE-2026-45305 / GHSA-9frc-8383-795m

More information

Details

Description

Symfony\Component\Yaml\Parser::cleanup() strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '#^%YAML[: ][\d.]+.*\n#u', whose [\d.]+ and .* overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized %YAML directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.

Resolution

The four regexes in Parser::cleanup() (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

Severity

CVSS Score: 2.7 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

symfony/yaml (symfony/yaml)

Conversation

renovate Bot commented May 29, 2026

Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")

Details

Description

Resolution

Credits

Severity

References

Symfony hardened the parser when handling untrusted input

Details

Description

Resolution

Credits

Severity

References

Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

Details

Description

Resolution

Credits

Severity

References

Release Notes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants