CVE-2024-51754 — Resource Exposure in Twig

CWE-668 — Resource Exposure8 documents6 sources

Severity

2.2LOWNVD

OSV8.6

EPSS

0.1%

top 66.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Twigphp Twig Twig

Timeline

PublishedNov 6

Latest updateApr 24

Description

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 0.7 | Impact: 1.4

Affected Packages2 packages

▶Packagisttwig/twig3.12 — 3.14.1+1

▶CVEListV5twigphp/twig< 3.11.2+1

🔴Vulnerability Details

OSV

php-twig vulnerabilities↗2025-04-24

▶

CVEList

Unguarded calls to __toString() when nesting an object into an array in Twig↗2024-11-06

▶

OSV

CVE-2024-51754: Twig is a template language for PHP↗2024-11-06

▶

OSV

Twig has unguarded calls to `__toString()` when nesting an object into an array↗2024-11-06

▶

GHSA

Twig has unguarded calls to `__toString()` when nesting an object into an array↗2024-11-06

▶

📋Vendor Advisories

Ubuntu

Twig vulnerabilities↗2025-04-24

▶

Debian

CVE-2024-51754: php-twig - Twig is a template language for PHP. In a sandbox, an attacker can call `__toStr...↗2024

▶