6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47946

CVE-2025-47946: Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact

Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.

Patches

The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig's EscaperRuntime to properly escape HTML attributes in ComponentAttributes. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally.

Workarounds

Until you can upgrade, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values. Instead, use {{ attributes.render('name') }} for safe output of individual attributes.

References

GitHub repository: symfony/ux

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-47946

CVE-2025-47946:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/ux-twig-component	composer	< 2.25.1	2.25.1
symfony/ux-live-component	composer	< 2.25.1	2.25.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly states that rendering {{ attributes }} (which calls __toString() on a ComponentAttributes object) or using methods that return a ComponentAttributes instance could lead to unescaped output. The core issue was the lack of enforced escaping within the ComponentAttributes class.

The primary fix in symfony/ux-twig-component (commit b5d4e77db69315aeb18d2238e0e7c943d340ce76) targets the ComponentAttributes class.

The __construct method was changed to require a Twig\Runtime\EscaperRuntime instance, ensuring that an escaper is always present. Previously, it accepted an optional HtmlAttributeEscaperInterface, and a deprecation was triggered if it was null. This optional nature was a root cause.
The __toString method was modified to use this mandatory escaper to escape attribute values before they are included in the output string. The removed line $attributes .= ' '.\sprintf('%s="%s"', $key, $this->escaper?->escapeValue($value) ?? $value); shows that if $this->escaper was null (which was possible before the constructor change), the raw $value would be used.

Therefore, Symfony\UX\TwigComponent\ComponentAttributes::__toString() is the function that directly processed and outputted the potentially malicious unescaped input. The Symfony\UX\TwigComponent\ComponentAttributes::__construct() method is also identified as vulnerable because its previous implementation allowed the object to be instantiated in a state where __toString() would behave insecurely.

Methods like only(), defaults(), and without() were mentioned in the advisory because they return ComponentAttributes instances. If the original instance was created without a proper escaper, these methods would propagate that insecure state by creating new instances that also lacked the escaper. However, the actual unescaped output and processing of malicious input occurred within __toString().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-47946: Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact

Patches

Workarounds

References

CVE-2025-47946:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-47946: Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

6.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI