CVE-2025-24374
MEDIUM4.3EPSS 0.30%Twig security issue where escaping was missing when using null coalesce operator
發布日:2025/1/29修改日:2026/5/27
描述
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
受影響套件(2)
- Debian/php-twigfrom 0
- Packagist/twig/twig>= 3.16.0, < 3.19.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-24374
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-24374
- PATCHhttps://github.com/twigphp/Twig
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml
- WEBhttps://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
- WEBhttps://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
- WEBhttps://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator