Uncontrolled Recursion Affecting symfony/yaml package, versions <5.4.52>=6.0.0-BETA1, <6.4.40>=7.0.0-BETA1, <7.4.12>=8.0.0-BETA1, <8.0.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Uncontrolled Recursion vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-SYMFONYYAML-16797942
- published22 May 2026
- disclosed20 May 2026
- creditPietro Tirenna
Introduced: 20 May 2026
NewCVE-2026-45133 (opens in a new tab)How to fix?
Upgrade symfony/yaml to version 5.4.52, 6.4.40, 7.4.12, 8.0.12 or higher.
Overview
Affected versions of this package are vulnerable to Uncontrolled Recursion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings. Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.