CVE-2025-47946
📋 TL;DR
This vulnerability in Symfony UX allows HTML attribute injection and cross-site scripting (XSS) attacks when rendering ComponentAttributes objects without proper escaping. Applications using symfony/ux-twig-component or symfony/ux-live-component versions before 2.25.1 are affected if they render untrusted user input through these components.
💻 Affected Systems
- symfony/ux-twig-component
- symfony/ux-live-component
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.
Likely Case
Attackers inject malicious attributes into web pages, leading to session hijacking, credential theft, or defacement of affected pages.
If Mitigated
With proper input validation and output encoding, the risk is limited to specific components that bypass security controls.
🎯 Exploit Status
Exploitation requires user input to reach vulnerable rendering methods, but the injection itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.25.1
Vendor Advisory: https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg
Restart Required: No
Instructions:
1. Update symfony/ux-twig-component to version 2.25.1 or higher. 2. If using symfony/ux-live-component, also update it to 2.25.1 or higher. 3. Run composer update symfony/ux-twig-component symfony/ux-live-component. 4. Clear any caches if applicable.
🔧 Temporary Workarounds
Safe attribute rendering
allAvoid rendering {{ attributes }} directly when it may contain untrusted values. Use {{ attributes.render('name') }} for safe output of individual attributes instead.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-provided data before it reaches ComponentAttributes rendering.
- Use Content Security Policy (CSP) headers to mitigate potential XSS impact by restricting script execution sources.
🔍 How to Verify
Check if Vulnerable:
Check composer.json or composer.lock for symfony/ux-twig-component or symfony/ux-live-component versions below 2.25.1.Check Version:
composer show symfony/ux-twig-component symfony/ux-live-componentVerify Fix Applied:
Confirm both packages show version 2.25.1 or higher in composer.lock after update.📡 Detection & Monitoring
Log Indicators:
- Unusual attribute values in rendered HTML output
- Multiple failed attempts to inject script tags in form submissions
Network Indicators:
- Unexpected JavaScript execution from attribute values
- Suspicious POST requests with HTML/script payloads
SIEM Query:
search for web logs containing patterns like onmouseover=, onload=, or javascript: in attribute contexts