AIKIDO-2026-11073
symfony/ux-live-component is vulnerable to Denial of Service
31
Low Risk
This Affects:
symfony/ux-live-componentTL;DR
Symfony UX LiveComponent's BatchActionController::__invoke() iterates over a client-supplied actions array and dispatches a separate HttpKernel sub-request for each entry without bounding the array length. An authenticated client can submit a batch payload with thousands of actions to exhaust CPU, memory, and database connections on the server. The fix introduces a MAX_ACTIONS_PER_BATCH cap of 50 and rejects oversized payloads with BadRequestHttpException, while the JavaScript client now splits larger batches across multiple requests.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/ux-live-component is vulnerable to Denial of Service in versions 2.5.0 - 2.35.0 and 3.0.0 - 3.0.0.
How to fix this
Upgrade the symfony/ux-live-component library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant