VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-zwzx-hces-hkfk

Essentials
Severities (17)
References (10)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-zwzx-hces-hkfk
Aliases	CVE-2024-51755 GHSA-jjxq-ff2g-95vh
Summary	Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled ### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. ### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-668

Exposure of Resource to Wrong Sphere

System	Score	Found at
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2024-51755
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-jjxq-ff2g-95vh
cvssv3.1	2.2	https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml
generic_textual	LOW	https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml
cvssv3.1	2.2	https://github.com/twigphp/Twig
generic_textual	LOW	https://github.com/twigphp/Twig
cvssv3.1	2.2	https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21
generic_textual	LOW	https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21
ssvc	Track	https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21
cvssv3.1	2.2	https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
cvssv3.1_qr	LOW	https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
generic_textual	LOW	https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
ssvc	Track	https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
cvssv3.1	2.2	https://nvd.nist.gov/vuln/detail/CVE-2024-51755
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2024-51755
cvssv3.1	2.2	https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
generic_textual	LOW	https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-51755
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51755
		https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml
		https://github.com/twigphp/Twig
		https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21
		https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
		https://nvd.nist.gov/vuln/detail/CVE-2024-51755
		https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
1086884		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086884
GHSA-jjxq-ff2g-95vh		https://github.com/advisories/GHSA-jjxq-ff2g-95vh

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/twigphp/Twig

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:44:58Z/ Found at https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:44:58Z/ Found at https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-51755

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.18309
EPSS Score	0.00058
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:10:41.348858+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-jjxq-ff2g-95vh/GHSA-jjxq-ff2g-95vh.json	36.1.3