Description When a "#[LiveProp]" is typed as a "DateTimeInterface" and no explicit "format" is configured, "Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue()" falls back to "new $className($value)". The "DateTime" / "DateTimeImmutable" constructors accept relative strings such as ""now"", ""tomorrow"", or ""+10 years"", so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date. Resolution "hydrateObjectValue()" now parses format-less date props strictly with "createFromFormat(DateTimeInterface::RFC3339, ...)", matching the format already emitted by "dehydrateObjectValue()". Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved. The patch for this issue is available "here" (https://github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2) for branch 2.x (and forward-ported to 3.x). Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.