Description "Symfony\Component\Yaml\Parser" resolves YAML aliases ("*anchor") during parsing. Aliases that reference collections (arrays, "stdClass", "TaggedValue"-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML. Resolution The "Parser" now counts collection alias resolutions in a shared "ParserState" object, with a default limit of 128, following the "SnakeYAML model" (https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/LoaderOptions.java). Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new "$maxAliasesForCollections" argument on "Parser::__construct()", "Yaml::parse()" and "Yaml::parseFile()". A new "Yaml::PARSE_EXCEPTION_ON_ALIAS" flag also rejects all aliases outright when parsing fully untrusted input. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a) for branch 5.4. Credits Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.