Resource Exhaustion Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-49209
5.3MEDIUM
What is CVE-2026-49209?
A resource exhaustion vulnerability exists in the Symfony UX JavaScript ecosystem due to the uncontrolled iteration of client-supplied actions. Specifically, the BatchActionController::__invoke() method does not limit the size of the actions array, allowing authenticated clients to submit a single _batch request with numerous actions. This can lead to excessive consumption of CPU, memory, and connections on the application server, potentially causing service disruptions. The issue has been resolved in Symfony UX versions 2.36.0 and 3.1.0, highlighting the importance of upgrading to these versions to maintain system performance and security.
Affected Version(s)
ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0
ux >= 2.5.0, < 2.36.0 < 2.5.0, 2.36.0
