CVE-2025-24374: Twig security issue where escaping was missing when using null coalesce operator
(updated )
When using the ??
operator, output escaping was missing for the expression on the left side of the operator.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml
- github.com/advisories/GHSA-3xg3-cgvq-2xwr
- github.com/twigphp/Twig
- github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
- github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
- nvd.nist.gov/vuln/detail/CVE-2025-24374
- symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator
Detect and mitigate CVE-2025-24374 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →