VulnerableCode Package Details - pkg:composer/twig/twig@3.11.1

Search for packages

Package details: pkg:composer/twig/twig@3.11.1

Essentials
History (2)

purl	pkg:composer/twig/twig@3.11.1

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-ra6y-zf7y-zyc7	Twig has a possible sandbox bypass ### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ### Resolution The patch ensures that the sandbox security checks are always run at runtime. ### Credits We would like to thank Fabien Potencier for reporting and fixing the issue.	CVE-2024-45411 GHSA-6j75-5wfj-gh66

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T14:35:29.646243+00:00	GHSA Importer	Fixing	VCID-ra6y-zf7y-zyc7	https://github.com/advisories/GHSA-6j75-5wfj-gh66	36.1.3
2025-07-01T12:09:21.892537+00:00	GithubOSV Importer	Fixing	VCID-ra6y-zf7y-zyc7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-6j75-5wfj-gh66/GHSA-6j75-5wfj-gh66.json	36.1.3