CVE-2025-24374 - Vulnerability Details - OpenCVE

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0012.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-0128	Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Github GHSA	GHSA-3xg3-cgvq-2xwr	Twig security issue where escaping was missing when using null coalesce operator

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr

History

Wed, 29 Jan 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 29 Jan 2025 15:30:00 +0000

Type	Values Removed	Values Added
Description		Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Title		Twig fixes a security issue where escaping was missing when using null coalesce operator (??)
Weaknesses		CWE-74
References		https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3 https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-01-29T15:22:34.012Z

Updated: 2025-01-29T15:44:49.358Z

Reserved: 2025-01-20T15:18:26.992Z

Link: CVE-2025-24374

Vulnrichment

Updated: 2025-01-29T15:44:00.628Z

NVD

Status : Received

Published: 2025-01-29T16:15:44.090

Modified: 2025-01-29T16:15:44.090

Link: CVE-2025-24374

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24374", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-20T15:18:26.992Z", "datePublished": "2025-01-29T15:22:34.012Z", "dateUpdated": "2025-01-29T15:44:49.358Z"}, "containers": {"cna": {"title": "Twig fixes a security issue where escaping was missing when using null coalesce operator (??)", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr"}, {"name": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3", "tags": ["x_refsource_MISC"], "url": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3"}], "affected": [{"vendor": "twigphp", "product": "Twig", "versions": [{"version": ">= 3.16.0, < 3.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-29T15:22:34.012Z"}, "descriptions": [{"lang": "en", "value": "Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0."}], "source": {"advisory": "GHSA-3xg3-cgvq-2xwr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-29T15:44:45.378845Z", "id": "CVE-2025-24374", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T15:44:49.358Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24374", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-29T15:44:45.378845Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T15:44:00.628Z"}}], "cna": {"title": "Twig fixes a security issue where escaping was missing when using null coalesce operator (??)", "source": {"advisory": "GHSA-3xg3-cgvq-2xwr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "twigphp", "product": "Twig", "versions": [{"status": "affected", "version": ">= 3.16.0, < 3.19.0"}]}], "references": [{"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr", "name": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3", "name": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-29T15:22:34.012Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24374", "state": "PUBLISHED", "dateUpdated": "2025-01-29T15:44:49.358Z", "dateReserved": "2025-01-20T15:18:26.992Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-29T15:22:34.012Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}