CVE-2025-24374
published 2025-01-29CVE-2025-24374: Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This…
PriorityP419medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.28%
19.9th percentile
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-twig | < php-twig 3.19.0-1~bootstrap (forky) | php-twig 3.19.0-1~bootstrap (forky) |
| twig | twig | >= 3.16.0 < 3.19.0 | 3.19.0 |
| twigphp | twig | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Twig security issue where escaping was missing when using null coalesce operator
ghsa·2025-01-29
CVE-2025-24374 [MEDIUM] CWE-74 Twig security issue where escaping was missing when using null coalesce operator
Twig security issue where escaping was missing when using null coalesce operator
When using the `??` operator, output escaping was missing for the expression on the left side of the operator.
OSV
Twig security issue where escaping was missing when using null coalesce operator
osv·2025-01-29
CVE-2025-24374 [MEDIUM] Twig security issue where escaping was missing when using null coalesce operator
Twig security issue where escaping was missing when using null coalesce operator
When using the `??` operator, output escaping was missing for the expression on the left side of the operator.
OSV
CVE-2025-24374: Twig is a template language for PHP
osv·2025-01-29·CVSS 4.3
CVE-2025-24374 [MEDIUM] CVE-2025-24374: Twig is a template language for PHP
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Debian
CVE-2025-24374: php-twig - Twig is a template language for PHP. When using the ?? operator, output escaping...
vendor_debian·2025·CVSS 4.3
CVE-2025-24374 [MEDIUM] CVE-2025-24374: php-twig - Twig is a template language for PHP. When using the ?? operator, output escaping...
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3.19.0-1~bootstrap)
sid: resolved (fixed in 3.19.0-1~bootstrap)
trixie: resolved (fixed in 3.19.0-1~bootstrap)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-29
Published