CVE-2025-47946

Name of the Vulnerable Software and Affected Versions: symfony/ux-twig-component versions prior to 2.25.1 symfony/ux-live-component versions prior to 2.25.1

Description: The issue concerns the rendering of {{ attributes }} or the use of methods that return a ComponentAttributes instance, which can lead to HTML attribute injection and XSS vulnerabilities if the attribute values are unsafe, such as containing user input.

Recommendations: For symfony/ux-twig-component versions prior to 2.25.1, update to version 2.25.1. For symfony/ux-live-component versions prior to 2.25.1, update to version 2.25.1. As a temporary workaround, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values. Instead, use {{ attributes.render('name') }} for safe output of individual attributes.