CVE-2024-51755

LOW

Twig <3.11.2, <3.14.1 - Info Disclosure

Title source: llm

Description

Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

References (2)

[Vendor Advisory] https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh

[Patch] https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21

View Patch ZIP pw:eip

Scores

CVSS v3 2.2

EPSS 0.0015

EPSS Percentile 34.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-668

Status published

Products (3)

twig/twig 0 - 3.11.2Packagist

twigphp/Twig < 3.11.2

twigphp/Twig >= 3.12.0, < 3.14.1

Published Nov 06, 2024

Tracked Since Feb 18, 2026