VYPR
← All advisories
Low severity1.3NVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

symfony/ux-live-component: Denial of service via unbounded batch action requests

CVE-2026-49209

Description

Description

Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.

Resolution

BatchActionController now enforces an upper bound of 50 actions per _batch request (MAX_ACTIONS_PER_BATCH) and rejects larger payloads up front with a BadRequestHttpException. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Credits

Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing upper bound on the client-supplied `actions` array in `BatchActionController::__invoke()` allows an authenticated attacker to trigger an unbounded number of full `HttpKernel` sub-requests, leading to resource exhaustion. [CWE-770]"

Attack vector

An authenticated attacker sends a single POST request to the `_batch` endpoint with an arbitrarily large `actions` array. The server iterates over every entry and issues a full `HttpKernel` sub-request for each one, triggering event subscribers, validators, Doctrine queries, and rendering. Because no upper bound existed on the array size, a payload containing thousands of actions can exhaust CPU, memory, and database connections on the application server [ref_id=2]. The only precondition is that the attacker holds a valid session (authenticated client) [ref_id=2].

What the fix does

The PHP `BatchActionController::__invoke()` method now checks `count($actions) > self::MAX_ACTIONS_PER_BATCH` (50) and throws a `BadRequestHttpException` with the message 'Too many actions in batch.' before any sub-requests are dispatched [patch_id=6625363]. On the JavaScript side, `Component.makeRequest()` slices `pendingActions` to the first 50 entries and stores the remainder as `remainingActions`; if overflow exists, `isRequestPending` stays `true`, which causes the framework to issue a follow-up request for the leftover actions [patch_id=6625363]. This ensures legitimate usage with more than 50 queued actions is split across multiple requests rather than rejected, while a single oversized payload is blocked server-side.

Preconditions

  • authThe attacker must be an authenticated client (valid session)
  • networkThe attacker sends a POST request to the `_batch` endpoint
  • inputThe request body contains an `actions` array with more than 50 entries

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.