CVE-2024-51755
published 2024-11-06CVE-2024-51755: Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy…
PriorityP410low2.2CVSS 3.1
AVNACHPRHUINSUCLINAN
EPSS
0.41%
33.1th percentile
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-twig | < php-twig 3.14.2-1 (forky) | php-twig 3.14.2-1 (forky) |
| twig | twig | >= 0 < 3.26.0 | 3.26.0 |
| twig | twig | >= 0 < 3.11.2 | 3.11.2 |
| twig | twig | >= 3.12 < 3.14.1 | 3.14.1 |
| twigphp | twig | < 3.11.2 | 3.11.2 |
| twigphp | twig | — | — |
CVSS provenance
nvdv3.12.2LOWCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
ghsa2.2LOW
osv2.2LOW
vendor_debian2.2LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-51755: php-twig - Twig is a template language for PHP. In a sandbox, an attacker can access attrib...
vendor_debian·2024·CVSS 2.2
CVE-2024-51755 [LOW] CVE-2024-51755: php-twig - Twig is a template language for PHP. In a sandbox, an attacker can access attrib...
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3.14.2-1)
sid: resolved (fixed in 3.14.2-1)
trixie: resolved (fixed in 3.14.2-1)
GHSA
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)
ghsa·2026-05-21·CVSS 2.2
CVE-2026-46635 [LOW] CWE-863 Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)
### Description
The `column` filter passes its input straight to PHP's native `array_column()`. When the array elements are objects, `array_column()` reads `$obj->$name` (and `$obj->$index`) directly, including invoking `__get`/`__isset`. Because this property read happens entirely in PHP native code and never reaches `CoreExtension::getAttribute()`, `SandboxExtension::checkPropertyAllowed()` is never consulted.
An untrusted template author with `column` in their `allowedFilters` list can therefore read any public or magic property of any object reachable in the render context, regardless of the `SecurityPolicy` `allowedProperties` list. This is a variant of CVE-2024-51755 / GHSA-jjxq-ff2g-95vh tha
OSV
CVE-2024-51755: Twig is a template language for PHP
osv·2024-11-06·CVSS 2.2
CVE-2024-51755 [LOW] CVE-2024-51755: Twig is a template language for PHP
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
OSV
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
osv·2024-11-06
CVE-2024-51755 [LOW] Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
### Description
In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the `__isset()` method is now called after the security check.
**This is a BC break.**
### Resolution
The sandbox mode now ensures access to array-like's properties is allowed.
The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch.
### Credits
We would like to thank Jamie Schouten for reporting the issue and Ni
GHSA
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
ghsa·2024-11-06
CVE-2024-51755 [LOW] CWE-668 Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
### Description
In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the `__isset()` method is now called after the security check.
**This is a BC break.**
### Resolution
The sandbox mode now ensures access to array-like's properties is allowed.
The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch.
### Credits
We would like to thank Jamie Schouten for reporting the issue and Ni
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-06
Published