CVE-2026-49209LOWCVSS 0.0

symfony/ux-live-component: Denial of service via unbounded batch action requests

Published Jun 19, 2026·Updated Jun 19, 2026

Description

### Description `Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single `_batch` request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. ### Resolution `BatchActionController` now enforces an upper bound of 50 actions per `_batch` request (`MAX_ACTIONS_PER_BATCH`) and rejects larger payloads up front with a `BadRequestHttpException`. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected. The patch for this issue is available [here](https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

Affected Packages (1)

symfony/ux-live-componentCOMPOSER
From 2.5.0
Fixed in 2.36.0

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free