CVE-2026-45756
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS
Description
### Description The `JsonPath` component's `match()` and `search()` filter functions compile a caller-supplied pattern straight into `preg_match()`: ```php 'match' => @preg_match(\sprintf('/^%s$/u', $this->transformJsonPathRegex($argList[1])), $value), 'search' => @preg_match("/{$this->transformJsonPathRegex($argList[1])}/u", $value), ``` `transformJsonPathRegex()` only performs cosmetic escaping: there is no length cap, no restriction to the RFC 9485 i-regexp subset, and no bound on backtracking. An application that evaluates an attacker-influenced JSONPath expression server-side (e.g. one taken from a query parameter or API field and passed to `JsonCrawler`) can therefore be made to run a catastrophic-backtracking pattern such as `$[?search(@, "(a+)+$")]`. Evaluated against a moderately sized document, this pins a CPU core for seconds per request, so a handful of concurrent requests exhausts the worker pool: a denial of service. Because the `preg_match()` calls are prefixed with `@`, the PCRE backtrack-limit errors that would otherwise surface are suppressed, leaving no log trace. ### Conditions for exploitation An application that evaluates an attacker-influenced JSONPath expression containing a `match()` / `search()` filter against any non-trivial JSON input. ### Resolution `JsonCrawler` runs the `preg_match()` calls through a helper that lowers `pcre.backtrack_limit` to 10000 for the duration of the call (restoring the previous value afterwards), so a pathological pattern fails fast instead of stalling the worker. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14) for branch 7.4. ### Credits Symfony would like to thank Himanshu Anand for reporting the issue and Alexandre Daubois for providing the fix.
Affected packages (3)
- Debian/symfonyfrom 0, < 7.4.12+dfsg-1
- Packagist/symfony/json-path>= 7.3.0, < 7.4.12
- Packagist/symfony/symfony>= 7.3.0, < 7.4.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
References (7)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45756
- PATCHhttps://github.com/symfony/symfony
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/json-path/CVE-2026-45756.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45756.yaml
- WEBhttps://github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14
- WEBhttps://github.com/symfony/symfony/security/advisories/GHSA-8v8v-g73j-492j
- WEBhttps://symfony.com/cve-2026-45756