CVE-2024-51754
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-51754
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | fixed | 2.14.3-1+deb11u4 |
| debian | forky | fixed | 3.14.2-1 |
| debian | sid | fixed | 3.14.2-1 |
| debian | trixie | fixed | 3.14.2-1 |
References
- https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
- https://nvd.nist.gov/vuln/detail/CVE-2024-51754
- https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
- https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml
- https://github.com/twigphp/Twig
- https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html
- https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
- https://security-tracker.debian.org/tracker/CVE-2024-51754
Verify integrity in audit chain (admin only). AS-IS.