Denial of Service Vulnerability in Symfony PHP Framework
CVE-2026-45756
What is CVE-2026-45756?
The Symfony PHP framework's JsonPath component contains a vulnerability that allows attackers to craft specific match() and search() filter patterns, leading to catastrophic backtracking during regex evaluation. This flaw occurs because the patterns are compiled directly into the preg_match() function without proper limitations on length or regex complexity. As a result, an attacker can exploit this issue to pin the CPU usage of application workers, potentially causing a denial of service for legitimate users. It is crucial for users of affected Symfony versions to update to versions 7.4.12 or 8.0.12, where this vulnerability has been resolved.
Affected Version(s)
json-path >= 7.3.0-BETA1, < 7.4.12 < 7.3.0-BETA1, 7.4.12
json-path >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
symfony >= 7.3.0-BETA1, < 7.4.12 < 7.3.0-BETA1, 7.4.12
