CVE-2024-51754
published 2024-11-06CVE-2024-51754: Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the…
PriorityP410low2.2CVSS 3.1
AVNACHPRHUINSUCLINAN
EPSS
0.44%
35.2th percentile
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-twig | < php-twig 2.14.3-1+deb11u4 (bullseye) | php-twig 2.14.3-1+deb11u4 (bullseye) |
| twig | twig | >= 0 < 3.11.2 | 3.11.2 |
| twig | twig | >= 3.12 < 3.14.1 | 3.14.1 |
| twigphp | twig | < 3.11.2 | 3.11.2 |
| twigphp | twig | — | — |
CVSS provenance
nvdv3.12.2LOWCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
osv8.6HIGH
vendor_ubuntu8.5HIGH
vendor_debian2.2LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Twig vulnerabilities
vendor_ubuntu·2025-04-24·CVSS 8.5
CVE-2024-45411 [HIGH] Twig vulnerabilities
Title: Twig vulnerabilities
Summary: Several security issues were fixed in Twig.
Fabien Potencier discovered that Twig did not run sandbox security checks
in some circumstances. An attacker could possibly use this issue to cause
a denial of service or execute arbitrary commands. This issue only affected
Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-45411)
Jamie Schouten discovered that Twig could bypass the security policy for
an object call. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2024-51754)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2024-51754: php-twig - Twig is a template language for PHP. In a sandbox, an attacker can call `__toStr...
vendor_debian·2024·CVSS 2.2
CVE-2024-51754 [LOW] CVE-2024-51754: php-twig - Twig is a template language for PHP. In a sandbox, an attacker can call `__toStr...
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Scope: local
bookworm: open
bullseye: resolved (fixed in 2.14.3-1+deb11u4)
forky: resolved (fixed in 3.14.2-1)
sid: resolved (fixed in 3.14.2-1)
trixie: resolved (fixed in 3.14.2-1)
OSV
php-twig vulnerabilities
osv·2025-04-24·CVSS 8.6
CVE-2024-45411 [HIGH] php-twig vulnerabilities
php-twig vulnerabilities
Fabien Potencier discovered that Twig did not run sandbox security checks
in some circumstances. An attacker could possibly use this issue to cause
a denial of service or execute arbitrary commands. This issue only affected
Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-45411)
Jamie Schouten discovered that Twig could bypass the security policy for
an object call. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2024-51754)
OSV
CVE-2024-51754: Twig is a template language for PHP
osv·2024-11-06·CVSS 2.2
CVE-2024-51754 [LOW] CVE-2024-51754: Twig is a template language for PHP
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
OSV
Twig has unguarded calls to `__toString()` when nesting an object into an array
osv·2024-11-06
CVE-2024-51754 [LOW] Twig has unguarded calls to `__toString()` when nesting an object into an array
Twig has unguarded calls to `__toString()` when nesting an object into an array
### Description
In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).
### Resolution
The sandbox mode now checks the `__toString()` method call on all objects.
The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch.
### Credits
We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for prov
GHSA
Twig has unguarded calls to `__toString()` when nesting an object into an array
ghsa·2024-11-06
CVE-2024-51754 [LOW] CWE-668 Twig has unguarded calls to `__toString()` when nesting an object into an array
Twig has unguarded calls to `__toString()` when nesting an object into an array
### Description
In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).
### Resolution
The sandbox mode now checks the `__toString()` method call on all objects.
The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch.
### Credits
We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for prov
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-06
Published