AIKIDO-2026-11067
symfony/ux-live-component is vulnerable to Improper Input Validation
37
Low Risk
This Affects:
symfony/ux-live-componentTL;DR
Symfony UX LiveComponent's LiveComponentHydrator::hydrateObjectValue() hydrates #[LiveProp] properties typed as DateTimeInterface with no explicit format by calling new $className($value). PHP's DateTime and DateTimeImmutable constructors accept relative strings such as now, tomorrow, or +10 years, so a client can supply a relative-date payload and push a writable date prop to an arbitrary point in time, bypassing components that gate time-based business logic on that prop. The fix parses format-less date props strictly with createFromFormat(DateTimeInterface::RFC3339, ...), matching the format emitted by dehydrateObjectValue() so only valid RFC 3339 inputs are accepted.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/ux-live-component is vulnerable to Improper Input Validation in versions 2.8.0 - 2.35.0 and 3.0.0 - 3.0.0.
How to fix this
Upgrade the symfony/ux-live-component library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant