### Description `Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single `_batch` request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. ### Resolution `BatchActionController` now enforces an upper bound of 50 actions per `_batch` request (`MAX_ACTIONS_PER_BATCH`) and rejects larger payloads up front with a `BadRequestHttpException`. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected. The patch for this issue is available [here](https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free