CVE-2025-47946: Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes
Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.
References
- github.com/advisories/GHSA-5j3w-5pcr-f8hg
- github.com/symfony/ux
- github.com/symfony/ux-live-component/commit/7ad44cf56d750b9f56658ed986286a10da132ee7
- github.com/symfony/ux-twig-component/commit/b5d4e77db69315aeb18d2238e0e7c943d340ce76
- github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8
- github.com/symfony/ux/commit/c2f7738ee0969c31df7514025a7f5fc6e153932d
- github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg
- nvd.nist.gov/vuln/detail/CVE-2025-47946
Code Behaviors & Features
Detect and mitigate CVE-2025-47946 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →