When a #[LiveProp] is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value). The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow", or "+10 years", so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date.
hydrateObjectValue() now parses format-less date props strictly with createFromFormat(DateTimeInterface::RFC3339, ...), matching the format already emitted by dehydrateObjectValue(). Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
No EPSS score in this advisory JSON.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-89g7-22c8-3j23 ↗ |
| CVE | CVE-2026-49208 ↗ |
| CWE id | Name |
|---|---|
| CWE-20 | Improper Input Validation |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | symfony/ux-live-component | >= 2.8.0, < 2.36.0 | 2.36.0 | — |
| composer | symfony/ux-live-component | >= 3.0.0, < 3.1.0 | 3.1.0 | — |