VulnerableCode Package Details - pkg:deb/debian/php-twig@2.14.3-1%2Bdeb11u4?distro=trixie

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/php-twig@2.14.3-1%2Bdeb11u4?distro=trixie

purl	pkg:deb/debian/php-twig@2.14.3-1%2Bdeb11u4?distro=trixie

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-1au7-86r7-8qdn	Twig has unguarded calls to `__toString()` when nesting an object into an array ### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.	CVE-2024-51754 GHSA-6377-hfv9-hqf6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T07:49:41.372806+00:00	Debian Importer	Fixing	VCID-1au7-86r7-8qdn	https://security-tracker.debian.org/tracker/data/json	38.1.0