CVE-2025-24374
MEDIUM4.3EPSS 0.30%Twig security issue where escaping was missing when using null coalesce operator
Published: 1/29/2025Modified: 5/27/2026
Description
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Affected packages (2)
- Debian/php-twigfrom 0
- Packagist/twig/twig>= 3.16.0, < 3.19.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-24374
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-24374
- PATCHhttps://github.com/twigphp/Twig
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml
- WEBhttps://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
- WEBhttps://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
- WEBhttps://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator