CVE-2024-45411
published 2024-09-09CVE-2024-45411: Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the…
PriorityP346high8.6CVSS 3.1
AVNACLPRNUINSCCNIHAN
EPSS
0.83%
52.8th percentile
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-twig | < php-twig 3.5.1-1+deb12u1 (bookworm) | php-twig 3.5.1-1+deb12u1 (bookworm) |
| symfony | twig | >= 1.0.0 < 1.44.8 | 1.44.8 |
| symfony | twig | >= 2.0.0 < 2.16.1 | 2.16.1 |
| symfony | twig | >= 3.0.0 < 3.14.0 | 3.14.0 |
| twig | twig | >= 0 < 3.26.0 | 3.26.0 |
| twig | twig | >= 1.0.0 < 1.44.8 | 1.44.8 |
| twig | twig | >= 2.0.0 < 2.16.1 | 2.16.1 |
| twig | twig | >= 3.0.0 < 3.11.1 | 3.11.1 |
| twig | twig | >= 3.12.0 < 3.14.0 | 3.14.0 |
| twigphp | twig | — | — |
| twigphp | twig | — | — |
| twigphp | twig | — | — |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
ghsa8.6HIGH
osv8.6HIGH
vendor_debian8.5HIGH
vendor_ubuntu8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
ghsa·2026-05-21·CVSS 8.6
CVE-2026-46638 [HIGH] CWE-693 Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
### Description
The fix for CVE-2024-45411 / GHSA-6j75-5wfj-gh66 added an explicit `$loaded->unwrap()->checkSecurity()` call in `CoreExtension::include()` so that a template already cached in `Environment::$loadedTemplates` is re-checked when included with `sandboxed = true`.
The deprecated but still functional `{% sandbox %}{% include ... %}{% endsandbox %}` tag path was not updated: it compiles to `enableSandbox(); yield from $this->load(...)->unwrap()->yield(...); disableSandbox();` with no `checkSecurity()` re-invocation. If the included template was loaded once outside the sandbox in the same `Environment` instance, its constructor (and therefore its compiled `checkSecur
OSV
php-twig vulnerability
osv·2025-06-02·CVSS 8.6
CVE-2024-45411 [HIGH] php-twig vulnerability
php-twig vulnerability
It was discovered that Twig did not correctly handle securing
user input. An attacker could possibly use this issue to cause
Twig to expose sensitive information if it opened a specially
crafted file. (CVE-2024-45411)
OSV
php-twig vulnerabilities
osv·2025-04-24·CVSS 8.6
CVE-2024-45411 [HIGH] php-twig vulnerabilities
php-twig vulnerabilities
Fabien Potencier discovered that Twig did not run sandbox security checks
in some circumstances. An attacker could possibly use this issue to cause
a denial of service or execute arbitrary commands. This issue only affected
Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-45411)
Jamie Schouten discovered that Twig could bypass the security policy for
an object call. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2024-51754)
OSV
CVE-2024-45411: Twig is a template language for PHP
osv·2024-09-09·CVSS 8.6
CVE-2024-45411 [HIGH] CVE-2024-45411: Twig is a template language for PHP
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
GHSA
Twig has a possible sandbox bypass
ghsa·2024-09-09
CVE-2024-45411 [MEDIUM] CWE-693 Twig has a possible sandbox bypass
Twig has a possible sandbox bypass
### Description
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
* The sandbox is disabled globally;
* The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance;
* The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled).
### Resolution
The patch ensures that the sandbox security checks are always run at runtime.
### Credits
We would like to thank Fabien Potencier for reporting and fixing the issue.
OSV
Twig has a possible sandbox bypass
osv·2024-09-09
CVE-2024-45411 [MEDIUM] Twig has a possible sandbox bypass
Twig has a possible sandbox bypass
### Description
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
* The sandbox is disabled globally;
* The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance;
* The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled).
### Resolution
The patch ensures that the sandbox security checks are always run at runtime.
### Credits
We would like to thank Fabien Potencier for reporting and fixing the issue.
Ubuntu
Twig vulnerability
vendor_ubuntu·2025-06-02·CVSS 8.5
CVE-2024-45411 [HIGH] Twig vulnerability
Title: Twig vulnerability
Summary: Twig could be made to expose sensitive information if it opened
a specially crafted file.
It was discovered that Twig did not correctly handle securing
user input. An attacker could possibly use this issue to cause
Twig to expose sensitive information if it opened a specially
crafted file. (CVE-2024-45411)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Twig vulnerabilities
vendor_ubuntu·2025-04-24·CVSS 8.5
CVE-2024-45411 [HIGH] Twig vulnerabilities
Title: Twig vulnerabilities
Summary: Several security issues were fixed in Twig.
Fabien Potencier discovered that Twig did not run sandbox security checks
in some circumstances. An attacker could possibly use this issue to cause
a denial of service or execute arbitrary commands. This issue only affected
Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-45411)
Jamie Schouten discovered that Twig could bypass the security policy for
an object call. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2024-51754)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2024-45411: php-twig - Twig is a template language for PHP. Under some circumstances, the sandbox secur...
vendor_debian·2024·CVSS 8.5
CVE-2024-45411 [HIGH] CVE-2024-45411: php-twig - Twig is a template language for PHP. Under some circumstances, the sandbox secur...
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
Scope: local
bookworm: resolved (fixed in 3.5.1-1+deb12u1)
bullseye: resolved (fixed in 2.14.3-1+deb11u3)
forky: resolved (fixed in 3.8.0-4)
sid: resolved (fixed in 3.8.0-4)
trixie: resolved (fixed in 3.8.0-4)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7dehttps://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66https://lists.debian.org/debian-lts-announce/2024/09/msg00031.html
2024-09-09
Published