Описание
Twig security issue where escaping was missing when using null coalesce operator
When using the ?? operator, output escaping was missing for the expression on the left side of the operator.
Ссылки
- https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
- https://nvd.nist.gov/vuln/detail/CVE-2025-24374
- https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
- https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml
- https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator
Пакеты
Наименование
twig/twig
composer
Затронутые версииВерсия исправления
>= 3.16.0, < 3.19.0
3.19.0
Связанные уязвимости
CVSS3: 4.3
ubuntu
около 1 года назад
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
CVSS3: 4.3
nvd
около 1 года назад
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
CVSS3: 4.3
debian
около 1 года назад
Twig is a template language for PHP. When using the ?? operator, outpu ...