CVE-2024-51755

LOW

Twig <3.11.2, <3.14.1 - Info Disclosure

Title source: llm

Description

Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

References (2)

Scores

CVSS v3 2.2
EPSS 0.0011
EPSS Percentile 29.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Classification

CWE
CWE-668
Status draft

Affected Products (1)

twig/twig < 3.11.2Packagist

Timeline

Published Nov 06, 2024
Tracked Since Feb 18, 2026