Skip to content

Commit 1177f4d

Browse files
1 parent dcad0d2 commit 1177f4d

1 file changed

Lines changed: 100 additions & 0 deletions

File tree

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2q52-x2ff-qgfr",
4+
"modified": "2026-06-05T20:41:33Z",
5+
"published": "2026-06-05T20:41:33Z",
6+
"aliases": [
7+
"CVE-2026-24425"
8+
],
9+
"summary": "Twig: Possible sandbox bypass when using a source policy",
10+
"details": "# Description\n\nWhen using the sandbox with a `SourcePolicyInterface`, Twig does not always apply the sandbox restriction that forbids non-`Closure` callbacks for callback-accepting filters.\n\nThe issue affects the `sort`, `filter`, `map`, and `reduce` filters.\n\nIn the affected versions, the runtime check that rejects non-`Closure` callbacks in sandbox mode does not use the current template `Source`. As a result, when the sandbox is enabled through a source policy instead of being enabled globally, Twig can incorrectly treat the current execution as non-sandboxed for these callback checks.\n\nThis can allow user-controlled templates to pass arbitrary PHP callables to callback-accepting filters even though the template is being sandboxed through a source policy.\n\nThe issue happens when all these conditions are met:\n\n- The sandbox is not enabled globally;\n- A `SourcePolicyInterface` enables the sandbox for the rendered template;\n- The template uses one of the `sort`, `filter`, `map`, or `reduce` filters;\n- The callback is not a `Closure`.\n\n# Resolution\n\nThe patch makes callback sandbox checks source-aware by propagating the current template `Source` to callback-accepting filters and using it when deciding whether sandbox restrictions apply.\n\n# Credits\n\nWe would like to thank XavLim and Wade Sparks for reporting the issue and Fabien Potencier for fixing the issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "Packagist",
25+
"name": "twig/twig"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "2.16.0"
33+
},
34+
{
35+
"last_affected": "2.16.1"
36+
}
37+
]
38+
}
39+
]
40+
},
41+
{
42+
"package": {
43+
"ecosystem": "Packagist",
44+
"name": "twig/twig"
45+
},
46+
"ranges": [
47+
{
48+
"type": "ECOSYSTEM",
49+
"events": [
50+
{
51+
"introduced": "3.9.0"
52+
},
53+
{
54+
"fixed": "3.26.0"
55+
}
56+
]
57+
}
58+
]
59+
}
60+
],
61+
"references": [
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-2q52-x2ff-qgfr"
65+
},
66+
{
67+
"type": "ADVISORY",
68+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24425"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-24425.yaml"
73+
},
74+
{
75+
"type": "PACKAGE",
76+
"url": "https://github.com/twigphp/Twig"
77+
},
78+
{
79+
"type": "WEB",
80+
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
81+
},
82+
{
83+
"type": "WEB",
84+
"url": "https://symfony.com/cve-2026-24425"
85+
},
86+
{
87+
"type": "WEB",
88+
"url": "https://www.vulncheck.com/advisories/twig-x-x-sandbox-bypass-via-sourcepolicyinterface"
89+
}
90+
],
91+
"database_specific": {
92+
"cwe_ids": [
93+
"CWE-693"
94+
],
95+
"severity": "HIGH",
96+
"github_reviewed": true,
97+
"github_reviewed_at": "2026-06-05T20:41:33Z",
98+
"nvd_published_at": "2026-05-20T14:16:38Z"
99+
}
100+
}

0 commit comments

Comments
 (0)