GHSA-mm82-c99c-h2cf
symfony/ux-live-component: Denial of service via unbounded batch action requests
Details
### Description
`Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single `_batch` request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.
### Resolution
`BatchActionController` now enforces an upper bound of 50 actions per `_batch` request (`MAX_ACTIONS_PER_BATCH`) and rejects larger payloads up front with a `BadRequestHttpException`. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected.
The patch for this issue is available [here](https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f) for branch 2.x (and forward-ported to 3.x).
### Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
2.5.0 Fixed in: 2.36.0 composer require symfony/ux-live-component:^2.36.0 3.0.0 Fixed in: 3.1.0 composer require symfony/ux-live-component:^3.1.0 References
- https://github.com/symfony/ux/security/advisories/GHSA-mm82-c99c-h2cf [WEB]
- https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49209.yaml [WEB]
- https://github.com/symfony/ux [PACKAGE]