Symfony UX LiveComponent CVE-2026-49208
MEDIUMSeverity by source
Network endpoint accessible to any client; no authentication required by the vulnerability itself; integrity high due to business logic bypass; minor confidentiality impact from inferred internal temporal state.
Lifecycle Timeline
2DescriptionCVE.org
Description
When a #[LiveProp] is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value). The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow", or "+10 years", so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date.
Resolution
hydrateObjectValue() now parses format-less date props strictly with createFromFormat(DateTimeInterface::RFC3339, ...), matching the format already emitted by dehydrateObjectValue(). Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
AnalysisAI
Business logic bypass in Symfony UX LiveComponent (symfony/ux-live-component) allows any client to manipulate writable #[LiveProp] date fields to arbitrary points in time by submitting relative PHP date strings such as '+10 years' or 'tomorrow' - inputs the application would never generate legitimately. Applications that gate time-sensitive features (trial periods, discount windows, scheduling logic, subscription expiry) on these date props are exposed to unauthorized temporal state manipulation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires ALL of the following to be true simultaneously: (1) The application runs symfony/ux-live-component >= 2.8.0 < 2.36.0 or >= 3.0.0 < 3.1.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score was assigned by the vendor or NVD, and no EPSS data is available, necessitating a full independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker using a Symfony application that gates a trial subscription or time-limited feature behind a writable LiveComponent date prop intercepts a LiveComponent update HTTP request (or forges one from browser developer tools) and replaces the date field value with '+10 years'. The server's `hydrateObjectValue()` method - in unpatched versions - passes this string directly to `new DateTime('+10 years')`, producing a DateTime object representing a date far in the future. … |
| Remediation | Upgrade symfony/ux-live-component to version 2.36.0 for 2.x users or 3.1.0 for 3.x users; these are the vendor-confirmed fixed versions per GHSA-89g7-22c8-3j23, with the patch available at https://github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today