GHSA-c2p3-7m5p-cv8x
Symfony hardened the parser when handling untrusted input
Details
### Description
`Symfony\Component\Yaml\Parser` is the entry point for parsing YAML strings into PHP values via `Yaml::parse()`. When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (`Parser::parseBlock()`) and inline (`Inline::parseSequence()` / `Inline::parseMapping()`) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.
### Resolution
The `Parser` now tracks recursion depth in a shared `ParserState` object across both block-level and inline parsing, with a default limit of **128**. The limit is configurable via a new `$maxNestingLevel` argument on `Parser::__construct()`, `Yaml::parse()` and `Yaml::parseFile()`.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/914f427ed9630ddb3904dafba763e53d9f133fe3) for branch 5.4.
### Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 5.4.52 composer require symfony/yaml:^5.4.52 0 Fixed in: 5.4.52 composer require symfony/symfony:^5.4.52 6.0.0 Fixed in: 6.4.40 composer require symfony/symfony:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 6.0.0 Fixed in: 6.4.40 composer require symfony/yaml:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/yaml:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/yaml:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-c2p3-7m5p-cv8x [WEB]
- https://github.com/symfony/symfony/commit/914f427ed9630ddb3904dafba763e53d9f133fe3 [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45133.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45133.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45133 [WEB]