CVE-2024-51754

LOW

Twig <3.11.2, <3.14.1 - Info Disclosure

Title source: llm

Description

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

References (3)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html

[Patch] https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6

Scores

CVSS v3 2.2

EPSS 0.0014

EPSS Percentile 32.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-668

Status published

Products (3)

twig/twig 0 - 3.11.2Packagist

twigphp/Twig < 3.11.2

twigphp/Twig >= 3.12.0, < 3.14.1

Published Nov 06, 2024

Tracked Since Feb 18, 2026