Affected versions
Symfony versions <5.4.52, >=6, <6.4.40, >=7, <7.4.12, >=8, <8.0.12 of the Symfony YAML component are affected by this security issue.
The issue has been fixed in Symfony 5.4.52, 6.4.40, 7.4.12, 8.0.12.
Description
Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.
Resolution
The Parser now tracks recursion depth in a shared ParserState object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new $maxNestingLevel argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile().
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.