VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-8921-71jv-uubp

Essentials
Severities (19)
References (12)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8921-71jv-uubp
Aliases	CVE-2024-51754 GHSA-6377-hfv9-hqf6
Summary	Twig has unguarded calls to `__toString()` when nesting an object into an array ### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-668

Exposure of Resource to Wrong Sphere

System	Score	Found at
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2024-51754
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-6377-hfv9-hqf6
cvssv3.1	2.2	https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml
generic_textual	LOW	https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml
cvssv3.1	2.2	https://github.com/twigphp/Twig
generic_textual	LOW	https://github.com/twigphp/Twig
cvssv3.1	2.2	https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
generic_textual	LOW	https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
ssvc	Track	https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
cvssv3.1	2.2	https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
cvssv3.1_qr	LOW	https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
generic_textual	LOW	https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
ssvc	Track	https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
cvssv3.1	2.2	https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html
generic_textual	LOW	https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html
cvssv3.1	2.2	https://nvd.nist.gov/vuln/detail/CVE-2024-51754
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2024-51754
cvssv3.1	2.2	https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
generic_textual	LOW	https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-51754
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51754
		https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml
		https://github.com/twigphp/Twig
		https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
		https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
		https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html
		https://nvd.nist.gov/vuln/detail/CVE-2024-51754
		https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
1086884		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086884
GHSA-6377-hfv9-hqf6		https://github.com/advisories/GHSA-6377-hfv9-hqf6
USN-7456-1		https://usn.ubuntu.com/7456-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/twigphp/Twig

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:40:22Z/ Found at https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:40:22Z/ Found at https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-51754

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.26597
EPSS Score	0.0009
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:10:33.312288+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-6377-hfv9-hqf6/GHSA-6377-hfv9-hqf6.json	36.1.3