GHSA-5J3W-5PCR-F8HG

Vulnerability from github – Published: 2025-05-19 22:24 – Updated: 2025-08-29 21:08
VLAI?
Summary
Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes
Details

Impact

Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.

Patches

The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig's EscaperRuntime to properly escape HTML attributes in ComponentAttributes. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally.

Workarounds

Until you can upgrade, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values. Instead, use {{ attributes.render('name') }} for safe output of individual attributes.

References

GitHub repository: symfony/ux

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/ux-twig-component"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/ux-live-component"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-19T22:24:45Z",
    "nvd_published_at": "2025-05-19T20:15:26Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nRendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.\n\n### Patches\n\nThe issue is fixed in version `2.25.1` of `symfony/ux-twig-component` by using Twig\u0027s `EscaperRuntime` to properly escape HTML attributes in `ComponentAttributes`.  If you use `symfony/ux-live-component`, you must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally.\n\n### Workarounds\n\nUntil you can upgrade, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values.\nInstead, use `{{ attributes.render(\u0027name\u0027) }}` for safe output of individual attributes.\n\n### References\n\nGitHub repository: [symfony/ux](https://github.com/symfony/ux)",
  "id": "GHSA-5j3w-5pcr-f8hg",
  "modified": "2025-08-29T21:08:41Z",
  "published": "2025-05-19T22:24:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47946"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/ux-live-component/commit/7ad44cf56d750b9f56658ed986286a10da132ee7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/ux-twig-component/commit/b5d4e77db69315aeb18d2238e0e7c943d340ce76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/ux/commit/c2f7738ee0969c31df7514025a7f5fc6e153932d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2025-47946.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-twig-component/CVE-2025-47946.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/ux"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.