CVE-2026-45304: Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
Symfony\Component\Yaml\Parser resolves YAML aliases (*anchor) during parsing. Aliases that reference collections (arrays, stdClass, TaggedValue-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic “Billion Laughs” denial-of-service against any parser exposed to untrusted YAML.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45304.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45304.yaml
- github.com/advisories/GHSA-4qpc-3hr4-r2p4
- github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a
- github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4
- nvd.nist.gov/vuln/detail/CVE-2026-45304
- symfony.com/cve-2026-45304
Code Behaviors & Features
Detect and mitigate CVE-2026-45304 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →