CVE-2025-47946

Description

### Impact Rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. ### Patches The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` by using Twig's `EscaperRuntime` to properly escape HTML attributes in `ComponentAttributes`. If you use `symfony/ux-live-component`, you must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. ### Workarounds Until you can upgrade, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes. ### References GitHub repository: [symfony/ux](https://github.com/symfony/ux)

How to fix CVE-2025-47946

To remediate CVE-2025-47946, upgrade the affected package to a fixed version below.

• —upgrade to 2.25.1 or later
• —upgrade to 2.25.1 or later

Is CVE-2025-47946 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.25.1
• from 0, < 2.25.1

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47946
• PATCHgithub.com/symfony/ux
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2025-47946.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-twig-component/CVE-2025-47946.yaml