GHSA-mm82-c99c-h2cf
symfony/ux-live-component: Denial of service via unbounded batch action requests
상세
### Description
`Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single `_batch` request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.
### Resolution
`BatchActionController` now enforces an upper bound of 50 actions per `_batch` request (`MAX_ACTIONS_PER_BATCH`) and rejects larger payloads up front with a `BadRequestHttpException`. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected.
The patch for this issue is available [here](https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f) for branch 2.x (and forward-ported to 3.x).
### Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
2.5.0 수정 버전: 2.36.0 composer require symfony/ux-live-component:^2.36.0 3.0.0 수정 버전: 3.1.0 composer require symfony/ux-live-component:^3.1.0 참고
- https://github.com/symfony/ux/security/advisories/GHSA-mm82-c99c-h2cf [WEB]
- https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49209.yaml [WEB]
- https://github.com/symfony/ux [PACKAGE]