GHSA-4vf2-qfg3-7598: 
PHP vulnerability analysis and mitigation

The XML Entity Expansion (XEE) vulnerability (GHSA-4vf2-qfg3-7598) affects symfony/validator versions >= 2.0.0 and < 2.0.17. This vulnerability was discovered in the way XML is handled in the Symfony validator component, specifically related to XML Entity Expansion attacks. The issue was identified and reported by Pádraic Brady from the Zend Framework team and was fixed in version 2.0.17 released on August 28, 2012 (Symfony Blog).

The vulnerability is related to XML Entity Expansion (XEE) Quadratic Blowup Attacks where there was no defense against XEE attacks in extensions using libxml2. The issue stems from the inability to disable custom entities in PHP that are defined internally within XML documents. In a Quadratic Blowup Attack (QBA), an attacker can define a long entity and reference it multiple times in document elements, creating a memory sink. The vulnerability is particularly amplified when using the LIBXML_NOENT option, which contrary to its name does not actually mean 'No Entities' (GitHub Advisory).

The primary impact of this vulnerability is the potential for Denial of Service (DoS) attacks against a host's RAM. When exploited, the vulnerability allows attackers to create memory sinks through entity expansion, which can cause peak memory usage to spike rapidly when the nodeValue is accessed, as entities are expanded through a multiplier effect (GitHub Advisory).

The vulnerability was fixed in Symfony version 2.0.17. The recommended mitigation is to upgrade to this version or later. For those unable to upgrade immediately, the fix involves using a combination of libxmldisableentityloader(TRUE) and the LIBXMLNONET option. Additionally, the DOCTYPE may be removed, though this could result in issues with unresolved entities (Symfony Blog).