CVE-2025-47946: 
PHP vulnerability analysis and mitigation

Symfony UX, an initiative and set of libraries for integrating JavaScript tools into applications, disclosed a vulnerability (CVE-2025-47946) affecting versions prior to 2.25.1. The vulnerability was discovered in the component attributes rendering functionality, where {{ attributes }} or methods returning ComponentAttributes instances output attribute values without proper escaping (GitHub Advisory, NVD).

The vulnerability stems from insufficient sanitization in the ComponentAttributes class where attribute values are output directly without proper HTML escaping. This affects both the symfony/ux-twig-component and symfony/ux-live-component packages. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it requires user interaction but can be exploited remotely without authentication (GitHub Advisory, Wiz).

When exploited, this vulnerability can lead to HTML attribute injection and XSS (Cross-Site Scripting) vulnerabilities. If attribute values contain untrusted user input, attackers could potentially inject malicious HTML attributes or JavaScript code that executes in the context of the web application (GitHub Advisory).

The vulnerability has been patched in version 2.25.1 of both symfony/ux-twig-component and symfony/ux-live-component packages. Users should upgrade to these versions to receive the fix. As a temporary workaround, developers can avoid rendering {{ attributes }} or derived objects directly when they may contain untrusted values. Instead, they should use {{ attributes.render('name') }} for safe output of individual attributes (GitHub Advisory).