AIKIDO-2026-11065
symfony/ux-live-component is vulnerable to Cross-Site Request Forgery (CSRF)
31
Low Risk
This Affects:
symfony/ux-live-componentTL;DR
The symfony/ux-live-component package gated #[LiveAction] invocations on the Accept: application/vnd.live-component+html header as its CSRF protection. That header is CORS-safelisted under the Fetch spec, so a cross-origin fetch() can set it without a preflight, allowing any LiveAction to be forged against a victim's session. Default SameSite=Lax session cookies mitigate the canonical attack, but applications using SameSite=None, permissive cookie policies, or vulnerable to same-origin pivots remained exposed. The fix additionally requires the non-safelisted X-Requested-With: XMLHttpRequest header, forcing a CORS preflight that LiveComponent endpoints do not honor.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/ux-live-component is vulnerable to Cross-Site Request Forgery (CSRF) in versions 2.22.0 - 2.35.0 and 3.0.0 - 3.0.0.
How to fix this
Upgrade the symfony/ux-live-component library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant