CVE-2026-49209
Received Received - Intake

Denial of Service in Symfony UX LiveComponent

Vulnerability report for CVE-2026-49209, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. This issue is fixed in versions 2.36.0 and 3.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
symfony ux_live_component From 2.5.0 (inc) to 2.35.9 (inc)
symfony ux_live_component 2.36.0
symfony ux_live_component 3.1.0
symfony ux From 2.5.0 (inc) to 2.36.0 (inc)
symfony ux From 3.1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a denial of service issue in Symfony UX LiveComponent. The BatchActionController::__invoke() method processes client-supplied actions in a batch request without limiting the number of actions. An authenticated attacker can submit a single batch request with thousands of actions, causing the server to exhaust CPU, memory, and database connections by creating excessive HttpKernel sub-requests.

Detection Guidance

Monitor for unusually high CPU, memory, or database connection usage during batch requests. Check server logs for excessive HttpKernel sub-requests or BadRequestHttpException errors indicating batch size limits being exceeded.

Impact Analysis

If exploited, this vulnerability can lead to server resource exhaustion, causing slowdowns, crashes, or downtime for applications using affected Symfony UX LiveComponent versions. It may disrupt services for legitimate users and require manual intervention to restore normal operation.

Compliance Impact

This vulnerability could impact compliance by causing service disruptions that violate availability requirements in GDPR or HIPAA. Downtime may lead to unauthorized access risks or failure to meet data processing timelines, potentially resulting in regulatory penalties or breaches of service-level agreements.

Mitigation Strategies

Upgrade Symfony UX LiveComponent to version 2.36.0 or 3.1.0 or later to enforce the 50-action limit per batch request. If immediate upgrade is not possible, implement network-level rate limiting or WAF rules to block large batch requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart