Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.
The Parser now tracks recursion depth in a shared ParserState object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new $maxNestingLevel argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile().
The patch for this issue is available here for branch 5.4.
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
No EPSS score in this advisory JSON.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-c2p3-7m5p-cv8x ↗ |
| CVE | CVE-2026-45133 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | symfony/yaml | < 5.4.52 | 5.4.52 | — |
| composer | symfony/symfony | < 5.4.52 | 5.4.52 | — |
| composer | symfony/symfony | >= 6.0.0, < 6.4.40 | 6.4.40 | — |
| composer | symfony/symfony | >= 7.0.0, < 7.4.12 | 7.4.12 | — |
| composer | symfony/symfony | >= 8.0.0, < 8.0.12 | 8.0.12 | — |
| composer | symfony/yaml | >= 6.0.0, < 6.4.40 | 6.4.40 | — |
| composer | symfony/yaml | >= 7.0.0, < 7.4.12 | 7.4.12 | — |
| composer | symfony/yaml | >= 8.0.0, < 8.0.12 | 8.0.12 | — |