GHSA-89g7-22c8-3j23
ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor
Details
### Description
When a `#[LiveProp]` is typed as a `DateTimeInterface` and no explicit `format` is configured, `Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue()` falls back to `new $className($value)`. The `DateTime` / `DateTimeImmutable` constructors accept relative strings such as `"now"`, `"tomorrow"`, or `"+10 years"`, so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date.
### Resolution
`hydrateObjectValue()` now parses format-less date props strictly with `createFromFormat(DateTimeInterface::RFC3339, ...)`, matching the format already emitted by `dehydrateObjectValue()`. Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved.
The patch for this issue is available [here](https://github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2) for branch 2.x (and forward-ported to 3.x).
### Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
2.8.0 Fixed in: 2.36.0 composer require symfony/ux-live-component:^2.36.0 3.0.0 Fixed in: 3.1.0 composer require symfony/ux-live-component:^3.1.0 References
- https://github.com/symfony/ux/security/advisories/GHSA-89g7-22c8-3j23 [WEB]
- https://github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2 [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49208.yaml [WEB]
- https://github.com/symfony/ux [PACKAGE]