Uncontrolled Recursion Affecting symfony/yaml package, versions <5.4.52>=6.0.0-BETA1, <6.4.40>=7.0.0-BETA1, <7.4.12>=8.0.0-BETA1, <8.0.12


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.09% (26th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-SYMFONYYAML-16797942
  • published22 May 2026
  • disclosed20 May 2026
  • creditPietro Tirenna

Introduced: 20 May 2026

CVE-2026-45133  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade symfony/yaml to version 5.4.52, 6.4.40, 7.4.12, 8.0.12 or higher.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings. Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.

CVSS Base Scores

version 4.0
version 3.1