Skip to content

Denial of service in symfony/ux-live-component via unbounded batch action requests

Low
nicolas-grekas published GHSA-mm82-c99c-h2cf May 29, 2026

Package

composer symfony/ux-live-component (Composer)

Affected versions

>=2.5.0, <2.36.0
>=3.0.0, <3.1.0

Patched versions

2.36.0
3.1.0

Description

Description

Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.

Resolution

BatchActionController now enforces an upper bound of 50 actions per _batch request (MAX_ACTIONS_PER_BATCH) and rejects larger payloads up front with a BadRequestHttpException. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Credits

We would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

Severity

Low

CVE ID

CVE-2026-49209

Weaknesses

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. Learn more on MITRE.

Credits