Add CVE-2025-47964 for Symfony UX Twig/Live Component#751
Add CVE-2025-47964 for Symfony UX Twig/Live Component#751stof merged 2 commits intoFriendsOfPHP:masterfrom
Conversation
| 2.x: | ||
| time: 2025-05-19 12:05:00 | ||
| versions: ['<2.25.1'] | ||
| reference: composer://symfony/ux-live-component |
There was a problem hiding this comment.
Is ux-live-component actually impacted directly or only through its dependency on ux-twig-component (which would be reported anyway through the other advisory) ?
There was a problem hiding this comment.
I'd say directly as attribute were created and rendered directly from ux-live-component... no ?
There was a problem hiding this comment.
what happens if you use symfony/ux-live-component 2.24 with symfony/ux-twig-component 2.25.1 ? Would we still have the security issue, or would be it solved by the patch in symfony/ux-twig-component 2.25.1 ? That's the main question here (if updating only symfony/ux-twig-component to 2.25.1 removes the security vulnerability, we don't need an advisory for symfony/ux-live-component).
The fact that symfony/ux-live-component might be buggy (due to some double-escaping in places where it was working around the TwigComponent vulnerability before) when installing it alongside the patched ux-twig-component is a different topic (as this is not about a security issue)
There was a problem hiding this comment.
ymfony/ux-live-component 2.24 with symfony/ux-twig-component 2.25.1
It would crash in multiple LiveComponent places, as ComponentAttributes would not have its second required argument when instancied (in live compoonent code)
Related blog post: https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes