symfony/ux-live-component: Denial of service via unbounded batch action requests
🔗 CVE IDs covered (1)
📋 Description
Description
Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.
Resolution
BatchActionController now enforces an upper bound of 50 actions per _batch request (MAX_ACTIONS_PER_BATCH) and rejects larger payloads up front with a BadRequestHttpException. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
🎯 Affected products2
- composer/symfony/ux-live-component:>= 2.5.0, < 2.36.0
- composer/symfony/ux-live-component:>= 3.0.0, < 3.1.0
🔗 References (4)
- https://github.com/symfony/ux/security/advisories/GHSA-mm82-c99c-h2cf
- https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49209.yaml
- https://github.com/advisories/GHSA-mm82-c99c-h2cf