CVE-2026-45304
Received
Received - Intake
Memory Exhaustion in Symfony YAML Parser
Vulnerability report for CVE-2026-45304, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: GitHub, Inc.
Description
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| symfony | symfony | From 5.4.52 (inc) |
| symfony | symfony | From 6.4.40 (inc) |
| symfony | symfony | From 7.4.12 (inc) |
| symfony | symfony | From 8.0.12 (inc) |
| symfony | symfony_yaml | From 5.4.52 (inc) to 5.4.52 (exc) |
| symfony | symfony_yaml | From 6.4.40 (inc) to 6.4.40 (exc) |
| symfony | symfony_yaml | From 7.4.12 (inc) to 7.4.12 (exc) |
| symfony | symfony_yaml | From 8.0.12 (inc) to 8.0.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-776 | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |