CVE-2025-24374
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-24374
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 3.19.0-1~bootstrap |
| debian | sid | fixed | 3.19.0-1~bootstrap |
| debian | trixie | fixed | 3.19.0-1~bootstrap |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | twig/twig | >=3.16.0,<3.19.0 | 3.19.0 |
References
- https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
- https://nvd.nist.gov/vuln/detail/CVE-2025-24374
- https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
- https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml
- https://github.com/twigphp/Twig
- https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator
- https://security-tracker.debian.org/tracker/CVE-2025-24374
Verify integrity in audit chain (admin only). AS-IS.