Description "Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()" iterates over the client-supplied "actions" array and issues a full "HttpKernel" sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single "_batch" request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. Resolution "BatchActionController" now enforces an upper bound of 50 actions per "_batch" request ("MAX_ACTIONS_PER_BATCH") and rejects larger payloads up front with a "BadRequestHttpException". The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected. The patch for this issue is available "here" (https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f) for branch 2.x (and forward-ported to 3.x). Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.