Skip to main content

Symfony UX LiveComponent CVE-2026-49208

MEDIUM
Improper Input Validation (CWE-20)
2026-06-19 https://github.com/symfony/ux
Share

Severity by source

vuln.today AI
8.2 HIGH

Network endpoint accessible to any client; no authentication required by the vulnerability itself; integrity high due to business logic bypass; minor confidentiality impact from inferred internal temporal state.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:21 vuln.today
Analysis Generated
Jun 19, 2026 - 21:21 vuln.today

DescriptionCVE.org

Description

When a #[LiveProp] is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value). The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow", or "+10 years", so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date.

Resolution

hydrateObjectValue() now parses format-less date props strictly with createFromFormat(DateTimeInterface::RFC3339, ...), matching the format already emitted by dehydrateObjectValue(). Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Credits

Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

AnalysisAI

Business logic bypass in Symfony UX LiveComponent (symfony/ux-live-component) allows any client to manipulate writable #[LiveProp] date fields to arbitrary points in time by submitting relative PHP date strings such as '+10 years' or 'tomorrow' - inputs the application would never generate legitimately. Applications that gate time-sensitive features (trial periods, discount windows, scheduling logic, subscription expiry) on these date props are exposed to unauthorized temporal state manipulation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify writable format-less DateTimeInterface LiveProp via source review or endpoint probing
Delivery
Forge LiveComponent update request with relative date string (e.g., '+10 years')
Exploit
Unpatched hydrateObjectValue() passes string to permissive DateTime constructor
Execution
Server hydrates manipulated value into a DateTime object with attacker-controlled timestamp
Persist
Application evaluates manipulated date in time-based business logic
Impact
Attacker bypasses access gate or trial expiry check

Vulnerability AssessmentAI

Exploitation Exploitation requires ALL of the following to be true simultaneously: (1) The application runs symfony/ux-live-component >= 2.8.0 < 2.36.0 or >= 3.0.0 < 3.1.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score was assigned by the vendor or NVD, and no EPSS data is available, necessitating a full independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker using a Symfony application that gates a trial subscription or time-limited feature behind a writable LiveComponent date prop intercepts a LiveComponent update HTTP request (or forges one from browser developer tools) and replaces the date field value with '+10 years'. The server's `hydrateObjectValue()` method - in unpatched versions - passes this string directly to `new DateTime('+10 years')`, producing a DateTime object representing a date far in the future. …
Remediation Upgrade symfony/ux-live-component to version 2.36.0 for 2.x users or 3.1.0 for 3.x users; these are the vendor-confirmed fixed versions per GHSA-89g7-22c8-3j23, with the patch available at https://github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy