VulnerableCode Package Details - pkg:composer/twig/twig@3.3.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-1au7-86r7-8qdn Aliases: CVE-2024-51754 GHSA-6377-hfv9-hqf6	Twig has unguarded calls to `__toString()` when nesting an object into an array ### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.	3.11.2 Affected by 0 other vulnerabilities. 3.14.1 Affected by 0 other vulnerabilities.
VCID-cd24-q2ys-yfbe Aliases: CVE-2024-51755 GHSA-jjxq-ff2g-95vh	Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled ### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. ### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.	3.11.2 Affected by 0 other vulnerabilities. 3.14.1 Affected by 0 other vulnerabilities.
VCID-etje-vrfw-nbh4 Aliases: CVE-2024-45411 GHSA-6j75-5wfj-gh66	Twig has a possible sandbox bypass ### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ### Resolution The patch ensures that the sandbox security checks are always run at runtime. ### Credits We would like to thank Fabien Potencier for reporting and fixing the issue.	3.11.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.14.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ummk-h11z-bkaj Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33	Twig may load a template outside a configured directory when using the filesystem loader # Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.	3.4.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yypq-j9mx-6qa4 Aliases: CVE-2022-23614 GHSA-5mv2-rx3q-4w2v	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Twig is an open source template language for PHP.Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.	3.3.8 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1au7-86r7-8qdn
Aliases:
CVE-2024-51754
GHSA-6377-hfv9-hqf6

Twig has unguarded calls to `__toString()` when nesting an object into an array ### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.

3.11.2
Affected by 0 other vulnerabilities.

3.14.1
Affected by 0 other vulnerabilities.

VCID-cd24-q2ys-yfbe
Aliases:
CVE-2024-51755
GHSA-jjxq-ff2g-95vh

Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled ### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. **This is a BC break.** ### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.

3.11.2
Affected by 0 other vulnerabilities.

3.14.1
Affected by 0 other vulnerabilities.

VCID-etje-vrfw-nbh4
Aliases:
CVE-2024-45411
GHSA-6j75-5wfj-gh66

Twig has a possible sandbox bypass ### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ### Resolution The patch ensures that the sandbox security checks are always run at runtime. ### Credits We would like to thank Fabien Potencier for reporting and fixing the issue.

3.11.1
Affected by 2 other vulnerabilities.

3.14.0
Affected by 2 other vulnerabilities.

VCID-ummk-h11z-bkaj
Aliases:
CVE-2022-39261
GHSA-52m2-vc4m-jj33

Twig may load a template outside a configured directory when using the filesystem loader # Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

3.4.3
Affected by 3 other vulnerabilities.

VCID-yypq-j9mx-6qa4
Aliases:
CVE-2022-23614
GHSA-5mv2-rx3q-4w2v

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Twig is an open source template language for PHP.Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

3.3.8
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:13:14.373095+00:00	GitLab Importer	Affected by	VCID-1au7-86r7-8qdn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-51754.yml	38.4.0
2026-04-16T23:13:10.385336+00:00	GitLab Importer	Affected by	VCID-cd24-q2ys-yfbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-51755.yml	38.4.0
2026-04-16T23:07:42.511513+00:00	GitLab Importer	Affected by	VCID-etje-vrfw-nbh4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-45411.yml	38.4.0
2026-04-16T22:11:28.179810+00:00	GitLab Importer	Affected by	VCID-ummk-h11z-bkaj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-39261.yml	38.4.0
2026-04-16T21:38:24.938512+00:00	GitLab Importer	Affected by	VCID-yypq-j9mx-6qa4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-23614.yml	38.4.0
2026-04-12T00:31:43.542431+00:00	GitLab Importer	Affected by	VCID-1au7-86r7-8qdn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-51754.yml	38.3.0
2026-04-12T00:31:39.087642+00:00	GitLab Importer	Affected by	VCID-cd24-q2ys-yfbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-51755.yml	38.3.0
2026-04-12T00:25:50.554300+00:00	GitLab Importer	Affected by	VCID-etje-vrfw-nbh4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-45411.yml	38.3.0
2026-04-11T23:28:13.783571+00:00	GitLab Importer	Affected by	VCID-ummk-h11z-bkaj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-39261.yml	38.3.0
2026-04-11T22:53:03.434459+00:00	GitLab Importer	Affected by	VCID-yypq-j9mx-6qa4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-23614.yml	38.3.0
2026-04-03T00:39:26.531033+00:00	GitLab Importer	Affected by	VCID-1au7-86r7-8qdn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-51754.yml	38.1.0
2026-04-03T00:39:21.650597+00:00	GitLab Importer	Affected by	VCID-cd24-q2ys-yfbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-51755.yml	38.1.0
2026-04-03T00:33:28.902895+00:00	GitLab Importer	Affected by	VCID-etje-vrfw-nbh4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2024-45411.yml	38.1.0
2026-04-02T23:34:02.161199+00:00	GitLab Importer	Affected by	VCID-ummk-h11z-bkaj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-39261.yml	38.1.0
2026-04-02T23:02:25.466784+00:00	GitLab Importer	Affected by	VCID-yypq-j9mx-6qa4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-23614.yml	38.1.0
2026-04-01T17:55:59.463981+00:00	GitLab Importer	Affected by	VCID-ummk-h11z-bkaj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-39261.yml	38.0.0
2026-04-01T17:21:15.919678+00:00	GitLab Importer	Affected by	VCID-yypq-j9mx-6qa4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/twig/twig/CVE-2022-23614.yml	38.0.0