Twig CVE-2024-51754: Unguarded calls to __toString() in a sandbox when an object is in an array or an argument list

Blog Home Posted by on 06.11.2024 18:50 in

Affected versions

Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.

The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.

Description

In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).

Resolution

The sandbox mode now checks the __toString() method call on all objects.

The patch for this issue is available here for branch 3.x.

Credits

We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.

Sponsor the Symfony project.

Symfony Blog

PHP-Releases

PHP 8.4.1 released!

21. November 2024

PHP 8.1.31 released!

21. November 2024

PHP 8.3.14 released!

21. November 2024

PHP 8.2.26 released!

21. November 2024

Affected versions

Description

Resolution

Credits

Latest News

Community News: Latest PECL Releases (11.26.2024)

Community News: Latest PEAR Releases (11.25.2024)

Black Friday 2024 offers from the Symfony Ecosystem

A Week of Symfony #934 (18-24 November 2024)

New in Symfony 7.2: Optional Secret

PHP-Releases

PHP 8.4.1 released!

PHP 8.1.31 released!

PHP 8.3.14 released!

PHP 8.2.26 released!