cbcvebase.
CVE-2022-23614
published 2022-02-04

CVE-2022-23614: Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.28%
94.2th percentile
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphp-twig< php-twig 3.3.8-1 (bookworm)php-twig 3.3.8-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
symfonytwig>= 2.0.0 < 2.14.112.14.11
symfonytwig>= 3.0.0 < 3.3.83.3.8
twigtwig>= 0 < 1.23.1-1ubuntu4+esm11.23.1-1ubuntu4+esm1
twigtwig>= 0 < 2.4.6-1ubuntu0.1~esm12.4.6-1ubuntu0.1~esm1
twigtwig>= 2.0.0 < 2.14.112.14.11
twigtwig>= 3.0.0 < 3.3.83.3.8
twigphptwig
twigphptwig

Detection & IOCsextracted from sources · hover to see the quote

  • Look for Twig `sort` filter usage with a non-Closure `arrow` parameter in sandbox mode, which indicates attempted exploitation of arbitrary PHP function execution
  • Audit Twig template inputs in sandbox mode for `sort` filter calls where the `arrow` argument is a non-Closure callable (e.g., a string referencing a PHP function), as this is the attack vector for arbitrary code injection
  • NodeJS-based Twig implementations are NOT affected; focus detection efforts exclusively on PHP Twig deployments running in sandbox mode
  • ·The vulnerability only manifests when Twig is operating in sandbox mode; non-sandboxed deployments are not the intended protection boundary for this constraint
  • ·Fixed versions for Debian: twig >= 3.3.8-1 (bookworm/forky/sid/trixie) and >= 2.14.3-1+deb11u1 (bullseye); ensure deployed package versions meet these thresholds

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.