CVE-2026-49208

描述

### Description When a `#[LiveProp]` is typed as a `DateTimeInterface` and no explicit `format` is configured, `Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue()` falls back to `new $className($value)`. The `DateTime` / `DateTimeImmutable` constructors accept relative strings such as `"now"`, `"tomorrow"`, or `"+10 years"`, so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date. ### Resolution `hydrateObjectValue()` now parses format-less date props strictly with `createFromFormat(DateTimeInterface::RFC3339, ...)`, matching the format already emitted by `dehydrateObjectValue()`. Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved. The patch for this issue is available [here](https://github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

如何修補 CVE-2026-49208

要修補 CVE-2026-49208,請將受影響套件升級到下列已修補版本。

• —升級至 2.36.0 或更新版本

CVE-2026-49208 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-49208 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• >= 2.8.0, < 2.36.0

CVSS 分數

參考連結(4)

• PATCHgithub.com/symfony/ux
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49208.yaml
• WEBgithub.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2
• WEBgithub.com/symfony/ux/security/advisories/GHSA-89g7-22c8-3j23