Listen to this Post
How CVE-2026-49215 Works
When using symfony/ux-live-component, methods annotated with `
` are invokable from the browser and mutate server-side state via AJAX. The `Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest()` method gated these invocations on the presence of the `Accept: application/vnd.live-component+html` header, with a code comment stating that this acted as a CSRF protection. The core issue is that the `Accept` header is a CORS-safelisted request header. This means a cross-origin `fetch()` can set it without triggering a preflight OPTIONS request. The header therefore provided no actual CSRF protection. Any `[bash]` could be forged cross-origin against a victim's session. In practice, the attack is mitigated by `SameSite=Lax` session cookies, which is Symfony's default setting. However, applications using <code>SameSite=None</code>, `credentials: 'include'` with a permissive cookie policy, or that have been pivoted from another same-origin vector remained exposed. The resolution is that `isLiveComponentRequest()` now additionally requires the request header <code>X-Requested-With: XMLHttpRequest</code>. This header is not CORS-safelisted, so the browser issues a preflight OPTIONS request for any cross-origin attempt. Since Symfony does not advertise CORS for LiveComponent endpoints, the preflight fails and the real request is blocked before it reaches the application. The bundled Stimulus client already sends `X-Requested-With` on every LiveComponent request (<code>RequestBuilder.ts</code>), so standard usage is unaffected. Cross-origin callers must add `X-Requested-With` to their CORS `Access-Control-Allow-Headers` allow-list. The patch for this issue is available for branch 2.x (and forward-ported to 3.x). <h2 style="color: blue;">DailyCVE Form</h2> Platform: Symfony UX LiveComponent Version: 2.22.0 - 2.35.0, 3.0.0 Vulnerability: CSRF Protection Bypass Severity: Low date: 2026-05-29 <h2 style="color: blue;">Prediction: Already patched (2.36.0/3.1.0)</h2> <h2 style="color: blue;">What Undercode Say</h2> <h2 style="color: blue;">Analytics:</h2> <ul> <li>Attack Vector: Cross-origin forged requests via `fetch()` with custom `Accept` header</li> <li>Prerequisite: Victim must have an active session with `SameSite=None` or permissive cookie policy</li> <li>Exploitability: Low in default configurations (mitigated by <code>SameSite=Lax</code>)</li> <li>Impact: Unauthorized execution of `[bash]` methods, mutating server-side state</li> </ul> <h2 style="color: blue;">Bash Commands & Code:</h2> [bash] Check your installed version composer show symfony/ux-live-component Update to patched version (2.36.0 for 2.x, 3.1.0 for 3.x) composer update symfony/ux-live-component Verify the fix is applied composer show symfony/ux-live-component | grep versions
Vulnerable Code Pattern (before patch):
// Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber
public function isLiveComponentRequest(Request $request): bool
{
// This Accept header check was incorrectly relied upon as CSRF protection
return $request->headers->get('Accept') === 'application/vnd.live-component+html';
}
Fixed Code Pattern (after patch):
// Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber
public function isLiveComponentRequest(Request $request): bool
{
return $request->headers->get('Accept') === 'application/vnd.live-component+html'
&& $request->headers->get('X-Requested-With') === 'XMLHttpRequest';
}
Cross-origin exploit attempt (would fail after patch):
// This would have worked pre-patch but now triggers a preflight that fails
fetch('https://victim.com/live-component/action', {
method: 'POST',
headers: {
'Accept': 'application/vnd.live-component+html'
},
credentials: 'include'
});
Exploit
An attacker could host a malicious website that uses `fetch()` to send a cross-origin request to a vulnerable Symfony application. The request would include the `Accept: application/vnd.live-component+html` header, which is CORS-safelisted and thus does not trigger a preflight. If the victim has an active session with `SameSite=None` or a permissive cookie policy, the request would be processed and the `[bash]` method would execute, mutating server-side state on behalf of the victim. The attacker could, for example, change user settings, perform actions, or trigger any logic exposed via [bash].
Protection
- Immediate Update: Upgrade to `symfony/ux-live-component` version 2.36.0 (for 2.x branches) or 3.1.0 (for 3.x branches).
- Verify the Fix: Ensure that `isLiveComponentRequest()` now requires both the `Accept` header and the `X-Requested-With: XMLHttpRequest` header.
- CORS Configuration: If you have custom CORS configurations that allow cross-origin requests, ensure that `X-Requested-With` is not in your `Access-Control-Allow-Headers` allow-list unless explicitly required.
- Session Cookie Settings: Review your session cookie configuration. Avoid using `SameSite=None` unless absolutely necessary. Symfony’s default `SameSite=Lax` provides sufficient mitigation.
- Workaround (if unable to update): Manually override the `isLiveComponentRequest()` method to enforce the `X-Requested-With` header check, or implement a custom CSRF token validation for LiveComponent endpoints.
Impact
- Confidentiality: Low – No direct data disclosure, but state mutations could reveal information.
- Integrity: Medium – Unauthorized execution of `[bash]` methods can mutate server-side state.
- Availability: Low – No direct denial of service, but repeated forged requests could cause unintended side effects.
- Overall Severity: Low (CVSS score pending, but GitHub rates it as Low severity).
The vulnerability is mitigated by default Symfony session settings (SameSite=Lax), making exploitation difficult in standard configurations. However, applications that have intentionally weakened their cookie policies or are using `SameSite=None` remain exposed. The fix adds a robust CSRF protection layer by leveraging the browser’s CORS preflight mechanism, effectively blocking cross-origin requests at the network level.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
