Description

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

INFO

Published Date :

2024-11-06T19:28:17.553Z

Last Modified :

2025-05-29T09:03:17.579Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-51754 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-51754.

URL Resource
https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73 cve-icon cve-icon
https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact