Twig CVE-2025-24374: Missing output escaping for the null coalesce operator

Blog Home Posted by on 29.01.2025 06:45 in

Affected versions

Twig versions >=3.16.0,<3.19.0 are affected by this security issue.

The issue has been fixed in Twig 3.19.0.

Description

When using the null coalesce operator (??), output escaping was missing for the expression on the left side of the operator.

Resolution

Output escaping for the ?? operator has been fixed.

The patch for this issue is available here for the 3.x branch.

Credits

We would like to thank Phil E. Taylor for reporting the issue and Fabien Potencier for providing the fix.

Sponsor the Symfony project.

Symfony Blog

Read More

Latest News

PHP-Releases

PHP 8.4.3 released!

17. Januar 2025

PHP 8.3.16 released!

16. Januar 2025

PHP 8.2.27 released!

19. Dezember 2024

PHP 8.1.31 released!

21. November 2024
Generated by Feedzy