CVE-2024-45411: Twig has a possible sandbox bypass
First published: Mon Sep 09 2024(Updated: )
### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ### Resolution The patch ensures that the sandbox security checks are always run at runtime. ### Credits We would like to thank Fabien Potencier for reporting and fixing the issue.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/twig/twig | >=3.0.0<3.11.1 | 3.11.1 |
| composer/twig/twig | >=3.12.0<3.14.0 | 3.14.0 |
| composer/twig/twig | >=2.0.0<2.16.1 | 2.16.1 |
| composer/twig/twig | >=1.0.0<1.44.8 | 1.44.8 |
| Twig | >=1.0.0<1.44.8 | |
| Twig | >=2.0.0<2.16.1 | |
| Twig | >=3.0.0<3.14.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
- https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de
- https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233
- https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
- https://nvd.nist.gov/vuln/detail/CVE-2024-45411
- https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635
- https://github.com/advisories/GHSA-6j75-5wfj-gh66 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-45411.yaml
- https://symfony.com/blog/twig-security-release-possible-sandbox-bypass
Frequently Asked Questions
What is the severity of CVE-2024-45411?
CVE-2024-45411 is considered a critical vulnerability due to its potential to allow bypassing of sandbox restrictions.
How do I fix CVE-2024-45411?
To fix CVE-2024-45411, update the Twig package to versions 1.44.8, 2.16.1, 3.11.1, or 3.14.0.
What are the affected versions for CVE-2024-45411?
CVE-2024-45411 affects Twig versions below 1.44.8, 2.16.1, 3.11.1, and 3.14.0.
What conditions lead to the CVE-2024-45411 vulnerability?
The vulnerability occurs when the sandbox is globally disabled and managed incorrectly, allowing user-contributed templates to bypass security checks.
Who is impacted by CVE-2024-45411?
Users of the Twig templating engine who have disabled sandbox security checks are at risk for CVE-2024-45411.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6j75-5wfj-gh66
- alias/CVE-2024-45411
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/composer
- vendor/symfony
- canonical/twig
- version/twig/1.0.0
- version/twig/2.0.0
- version/twig/3.0.0