CVE-2026-49208

When a #[LiveProp] is typed as a DateTimeInterface and no explicit format is configured, SymfonyUXLiveComponentLiveComponentHydrator::hydrateObjectValue() falls back to new $className($value). The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow", or "+10 years", so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date.

hydrateObjectValue() now parses format-less date props strictly with createFromFormat(DateTimeInterface::RFC3339, ...), matching the format already emitted by dehydrateObjectValue(). Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.