Arbitrary Code Execution Affecting twig/twig package, versions <1.20.0

Snyk CVSS

Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PHP-TWIGTWIG-70234
published 12 Aug 2015
disclosed 12 Aug 2015
credit James Kettle, Alain Tiemblo, Christophe Coevoet, Fabien Potencier

Report a new vulnerability Found a mistake?

Introduced: 12 Aug 2015

CWE-94 Open this link in a new tab

Overview

End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.

References

https://symfony.com/blog/security-release-twig-1-20-0