CVE-2025-47946

描述

### Impact Rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. ### Patches The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` by using Twig's `EscaperRuntime` to properly escape HTML attributes in `ComponentAttributes`. If you use `symfony/ux-live-component`, you must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. ### Workarounds Until you can upgrade, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes. ### References GitHub repository: [symfony/ux](https://github.com/symfony/ux)

如何修補 CVE-2025-47946

要修補 CVE-2025-47946,請將受影響套件升級到下列已修補版本。

• —升級至 2.25.1 或更新版本
• —升級至 2.25.1 或更新版本

CVE-2025-47946 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(2)

• from 0, < 2.25.1
• from 0, < 2.25.1

CVSS 分數

參考連結(10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47946
• PATCHgithub.com/symfony/ux
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2025-47946.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-twig-component/CVE-2025-47946.yaml