GHSA-9frc-8383-795m
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Details
### Description
`Symfony\Component\Yaml\Parser::cleanup()` strips the optional `%YAML` directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably `'#^%YAML[: ][\d.]+.*\n#u'`, whose `[\d.]+` and `.*` overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized `%YAML` directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.
### Resolution
The four regexes in `Parser::cleanup()` (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb) for branch 5.4.
### Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 5.4.52 composer require symfony/yaml:^5.4.52 0 Fixed in: 5.4.52 composer require symfony/symfony:^5.4.52 6.0.0 Fixed in: 6.4.40 composer require symfony/symfony:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 6.0.0 Fixed in: 6.4.40 composer require symfony/yaml:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/yaml:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/yaml:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m [WEB]
- https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45305.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45305.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45305 [WEB]