GHSA-4qpc-3hr4-r2p4
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
Details
### Description
`Symfony\Component\Yaml\Parser` resolves YAML aliases (`*anchor`) during parsing. Aliases that reference *collections* (arrays, `stdClass`, `TaggedValue`-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML.
### Resolution
The `Parser` now counts collection alias resolutions in a shared `ParserState` object, with a default limit of **128**, following the [SnakeYAML model](https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/LoaderOptions.java). Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new `$maxAliasesForCollections` argument on `Parser::__construct()`, `Yaml::parse()` and `Yaml::parseFile()`. A new `Yaml::PARSE_EXCEPTION_ON_ALIAS` flag also rejects all aliases outright when parsing fully untrusted input.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a) for branch 5.4.
### Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 5.4.52 composer require symfony/yaml:^5.4.52 0 Fixed in: 5.4.52 composer require symfony/symfony:^5.4.52 6.0.0 Fixed in: 6.4.40 composer require symfony/symfony:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 6.0.0 Fixed in: 6.4.40 composer require symfony/yaml:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/yaml:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/yaml:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4 [WEB]
- https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45304.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45304.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45304 [WEB]