Twig CVE-2024-51754: Unguarded calls to __toString() in a sandbox when an object is in an array or an argument list

November 6, 2024 • Published by Avatar of Fabien Potencier\ \ \ '" class="ui-avatar d-inline-block object-fit-cover ui-avatar-with-border me-2"> Fabien Potencier

Affected versions

Twig versions <3.11.2;>=3.12,<3.14.1 are affected by this security issue.

The issue has been fixed in Twig 3.11.2 and 3.14.1. Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.

Description

In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).

Resolution

The sandbox mode now checks the __toString() method call on all objects.

The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.

Credits

We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.

🚀 1

Published in #Security Advisories #Twig

Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Sébastien Alfaiate\ \ \ '" class="ui-avatar d-inline-block object-fit-cover ui-avatar-with-border">

Sébastien Alfaiate Certified said on Nov 7, 2024 at 15:18

The link to the patch is broken.

Avatar of Fabien Potencier\ \ \ '" class="ui-avatar d-inline-block object-fit-cover ui-avatar-with-border">

Fabien Potencier Certified said on Nov 10, 2024 at 10:46

Links fixed now.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.