CVE-2026-45133

LOWPre-NVD 0.0

0.0

Symfony hardened the parser when handling untrusted input

Description

Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.

Resolution

The Parser now tracks recursion depth in a shared ParserState object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new $maxNestingLevel argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile().

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

CVSS v3: —
EG Score: 0.0(none)
EPSS: —
KEV: Not listed

Published

May 27, 2026

Last Modified

May 27, 2026

Vendor Advisories for CVE-2026-45133(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-c2p3-7m5p-cv8x
GitHub Security AdvisoriesLow
Symfony hardened the parser when handling untrusted input

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-27 21:35 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-45133?

CVE-2026-45133 is a low vulnerability published on May 27, 2026. Symfony hardened the parser when handling untrusted input Description Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level…

When was CVE-2026-45133 disclosed?

CVE-2026-45133 was first published in the National Vulnerability Database on May 27, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

How do I remediate CVE-2026-45133?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45133, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45133

Explore →

Is Your Infrastructure Affected by CVE-2026-45133?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs