CVE-2024-45411: Twig Sandbox Bypass Vulnerability Puts PHP Applications at Risk
A critical security vulnerability has been discovered in Twig, a widely used PHP template engine, potentially allowing attackers to bypass sandbox restrictions and execute malicious code. The vulnerability, tracked as CVE-2024-45411 and assigned a CVSS score of 8.5 (high severity), could have serious consequences for web applications relying on Twig for template rendering.
The security flaw in question relates to Twig’s sandbox, a crucial feature that enforces security checks on user-generated templates. Under specific conditions, these sandbox checks can fail to run, enabling attackers to bypass the restrictions normally in place. This loophole arises when:
- The sandbox is disabled globally.
- The sandbox is enabled via the sandboxed include() function, referencing a template by name (such as
included.twig) rather than using aTemplateorTemplateWrapperinstance. - The included template has been previously loaded in a non-sandbox context, due to the global sandbox being disabled.
When all these conditions are met, an attacker could exploit the flaw to inject malicious code or bypass template restrictions, potentially leading to unauthorized access, data exposure, or further exploitation of the underlying PHP application.
The CVE-2024-45411 vulnerability affects a wide range of Twig versions, including:
- 1.0.0 to 1.44.7
- 2.0.0 to 2.16.0
- 3.0.0 to 3.13.0
Developers and administrators are strongly urged to update Twig to the latest patched versions:
- 1.44.8
- 2.16.1
- 3.14.0
The patch addresses the vulnerability by ensuring that sandbox security checks are always performed at runtime, even under the previously problematic conditions.
Given the potential severity of this vulnerability, all PHP applications using Twig must be promptly updated to the patched versions. Delaying this action could leave your application exposed to attacks, potentially leading to data breaches, service disruptions, or other security compromises.
