CVE-2025-24374 — Injection in Twig

CWE-74 — Injection6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 47.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Twig Twigphp Twig

Timeline

PublishedJan 29

Description

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶Packagisttwig/twig3.16.0 — 3.19.0

▶CVEListV5twigphp/twig>= 3.16.0, < 3.19.0

🔴Vulnerability Details

GHSA

Twig security issue where escaping was missing when using null coalesce operator↗2025-01-29

▶

OSV

Twig security issue where escaping was missing when using null coalesce operator↗2025-01-29

▶

OSV

CVE-2025-24374: Twig is a template language for PHP↗2025-01-29

▶

CVEList

Twig fixes a security issue where escaping was missing when using null coalesce operator (??)↗2025-01-29

▶

📋Vendor Advisories

Debian

CVE-2025-24374: php-twig - Twig is a template language for PHP. When using the ?? operator, output escaping...↗2025

▶