CVE-2025-47946 is a medium-severity Cross-Site Scripting (XSS) vulnerability affecting Symfony UX, a set of libraries designed to integrate JavaScript tools into Symfony applications. The vulnerability exists in versions prior to 2.25.1 of the symfony/ux-twig-component package and symfony/ux-live-component, which internally uses the same ComponentAttributes class. The issue arises because rendering the `{{ attributes }}` variable or using methods that return a ComponentAttributes instance (such as `only()`, `defaults()`, or `without()`) outputs attribute values directly without proper escaping. If these attribute values contain untrusted user input, this can lead to HTML attribute injection and XSS vulnerabilities. This improper neutralization of input during web page generation corresponds to CWE-79. The vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability is exploitable remotely without authentication but requires user interaction (e.g., a victim visiting a crafted page). The scope is significant as it affects all applications using vulnerable versions of these Symfony UX components that render untrusted input via the affected attributes. The issue was fixed in version 2.25.1 by ensuring proper escaping of attribute values. As a workaround, developers are advised to avoid rendering `{{ attributes }}` or derived objects directly when they may contain untrusted data, and instead use `{{ attributes.render('name') }}` to safely output individual attributes. No known exploits are reported in the wild as of the publication date (May 19, 2025). The CVSS v3.1 base score is 6.1, indicating a medium severity, with attack vector network, low attack complexity, no privileges required, user interaction required, scope changed, and partial impact on confidentiality and integrity but no impact on availability.

For European organizations, this vulnerability poses a moderate risk particularly to those developing or maintaining web applications using Symfony UX components prior to version 2.25.1. Exploitation could lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver further malware. This can damage organizational reputation, lead to data breaches, and cause regulatory compliance issues under GDPR due to potential exposure of personal data. The impact is heightened for sectors with high web presence and sensitive user interactions, such as e-commerce, finance, healthcare, and government services. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure victims. The scope includes any Symfony UX-based web application that improperly renders untrusted input in attributes, which may be common in custom or legacy Symfony projects. The lack of known exploits suggests a window for proactive patching and mitigation before widespread abuse. However, the changed scope (affecting components internally used by others) means that even indirect dependencies can introduce risk, increasing the attack surface. Overall, European organizations relying on Symfony UX should prioritize updates to avoid potential exploitation and associated operational and compliance impacts.

1. Immediate upgrade to symfony/ux-twig-component and symfony/ux-live-component version 2.25.1 or later to apply the official fix that properly escapes attribute values. 2. Audit all Symfony UX-based applications to identify usage of `{{ attributes }}` or methods returning ComponentAttributes instances, especially where untrusted user input may be rendered. 3. Refactor templates to avoid direct rendering of `{{ attributes }}` when the data may be unsafe; instead, use `{{ attributes.render('name') }}` to safely output individual attributes. 4. Implement strict input validation and sanitization on all user-supplied data before it reaches the rendering layer. 5. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 6. Monitor web application logs and user reports for suspicious activity or signs of XSS exploitation attempts. 7. Educate developers on secure template rendering practices and the risks of improper output escaping. 8. For organizations using third-party Symfony bundles or components, verify their versions and update accordingly to avoid indirect exposure. These steps go beyond generic advice by focusing on specific code patterns and component versions related to this vulnerability.