8 matches found
Improper Verification of Cryptographic Signature
Overview symfony/ux-live-component is a Live components for Symfony Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via insufficient context binding in HMAC protection for Live Component properties. An attacker can modify read-only properties o...
symfony/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted
Description When using symfony/ux-live-component, methods annotated with LiveAction are invokable from the browser and mutate server-side state via AJAX. Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gated these invocations on the presence of Accept:...
symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor
Description When a LiveProp is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue falls back to new $className$value. The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow",...
symfony/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding
Description In symfony/ux-live-component, a component's server-side state is exposed to the browser as a set of props LiveProp-annotated properties. Props marked writable: true can be freely changed by the client. Read-only props are round-tripped to the browser and back, and their integrity is...
symfony/ux-live-component Denial of service via unbounded batch action requests
Description Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry event subscribers, validators, Doctrine, rendering. The array size is never bounded, so an authenticated client can...
symfony/ux-live-component XSS via attacker-controlled child component tag
Description Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the $childTag argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON childrenid.tag parsed by LiveComponentSubscriber an...
CVE-2025-47946
Summary: CVE-2025-47946 affects Symfony UX components. Prior to 2.25.1, rendering {{ attributes }} or using methods returning a ComponentAttributes instance can output unescaped attribute values, risking HTML attribute injection and XSS. The vulnerability affects the Symfony UX Twig component and...
symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes
More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...