CVE-2026-45305: Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Symfony\Component\Yaml\Parser::cleanup() strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '#^%YAML[: ][\d.]+.*\n#u', whose [\d.]+ and .* overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized %YAML directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45305.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45305.yaml
- github.com/advisories/GHSA-9frc-8383-795m
- github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb
- github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m
- nvd.nist.gov/vuln/detail/CVE-2026-45305
- symfony.com/cve-2026-45305
Code Behaviors & Features
Detect and mitigate CVE-2026-45305 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →