CVE-2024-51754 LOW

CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array in Twig

Vendor Twigphp
Product Twig
Weakness CWE-668
Published November 6, 2024
Last update May 29, 2025

CVSS base score

2.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

November 6, 2024 CVE published
May 29, 2025 Record updated