PT-2026-51053 · Symfony · Ux-Live-Component
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-49212
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
symfony/ux-live-component versions prior to 2.x and 3.x
Description
An issue exists in the
SymfonyUXLiveComponentLiveComponentHydrator where the HMAC (Hash-based Message Authentication Code) used to protect read-only props and the propsFromParent blob only covered sorted prop key/value pairs. Because the HMAC did not include the component name, the slot identifier, or request context, and utilized a single application-wide secret, signed blobs could be replayed across different components or slots if key names matched. This allows an attacker to set a read-only prop on a target component using a value they were permitted to set as a writable prop on a different component.Recommendations
Update to the latest version of the 2.x branch.
Update to the latest version of the 3.x branch.
Exploit
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ux-Live-Component