Twig CVE-2024-51754: Unguarded calls to __toString() in a sandbox when an object is in an array or an argument list
Affected versions
Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.
The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.
Description
In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).
Resolution
The sandbox mode now checks the __toString() method call on all objects.
The patch for this issue is available here for branch 3.x.
Credits
We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.
Symfony Blog