CVE-2024-45411: Twig has a possible sandbox bypass
(updated )
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
- The sandbox is disabled globally;
- The sandbox is enabled via a sandboxed
include()
function which references a template name (likeincluded.twig
) and not aTemplate
orTemplateWrapper
instance; - The included template has been loaded before the
include()
call but in a non-sandbox context (possible as the sandbox has been globally disabled).
References
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-45411.yaml
- github.com/advisories/GHSA-6j75-5wfj-gh66
- github.com/twigphp/Twig
- github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
- github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de
- github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635
- github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233
- github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
- nvd.nist.gov/vuln/detail/CVE-2024-45411
- symfony.com/blog/twig-security-release-possible-sandbox-bypass
Detect and mitigate CVE-2024-45411 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →