Reflected cross-site scripting (XSS) In symfony/ux-live-component
Description
Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes
Impact
Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.
Patches
The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig's EscaperRuntime to properly escape HTML attributes in ComponentAttributes. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally.
Workarounds
Until you can upgrade, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values.
Instead, use {{ attributes.render('name') }} for safe output of individual attributes.
References
GitHub repository: symfony/ux
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | 2.25.1 | ||
packagist | 2.25.1 |
Aliases
References