Advisories for Composer/Twig/Twig package

2024

Twig has a possible sandbox bypass

Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: The sandbox is disabled globally; The sandbox is enabled via a sandboxed include() function which references a template name (like included.twig) and not a Template or TemplateWrapper instance; The included template has been loaded before the include() call but in a …

Twig Path Traversal vulnerability in the filesystem loader

Twig is affected by path traversal vulnerability when used with Twig_Loader_Filesystem for loading Twig templates but only if the application is using non-trusted template names (names provided by a end-user for instance). When affected, it is possible to go up one directory for the paths configured in the application's loader. For instance, if the filesystem loader is configured with /path/to/templates as a path to look for templates, an attacker can …

2022

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates' directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed. …

2019
2015

Remote Code Execution

Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode. End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.

2013