AIKIDO-2026-11076
symfony/ux-live-component is vulnerable to Insufficient Verification of Data Authenticity
37
Low Risk
This Affects:
symfony/ux-live-componentTL;DR
The LiveComponentHydrator computes an HMAC checksum over only the sorted prop key and value pairs without binding it to the originating component or to the slot identifier. A signature minted for one component can be replayed against another component that has matching property names, and a props blob signature can be replayed in the propsFromParent slot. This lets an attacker set read-only #[LiveProp] properties to attacker-controlled values that are normally only allowed as writable properties on different components. The fix binds the HMAC pre-image to the component name and to a slot identifier constant.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/ux-live-component is vulnerable to Insufficient Verification of Data Authenticity in versions 2.8.0 - 2.35.0 and 3.0.0 - 3.0.0.
How to fix this
Upgrade the symfony/ux-live-component library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant