Twig Sandbox Escape by authenticated users with access to editing CMS templates when safemode is enabled.
Description
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/cmsPackagist | >= 1.0.319, < 1.0.469 | 1.0.469 |
Affected products
1- Range: >= 1.0.319, < 1.0.469
Patches
14c650bb775abSecurity fixes for v1.0.469
3 files changed · +67 −0
modules/cms/classes/Controller.php+3 −0 modified@@ -15,6 +15,7 @@ use BackendAuth; use Twig\Environment as TwigEnvironment; use Twig\Cache\FilesystemCache as TwigCacheFilesystem; +use Twig\Extension\SandboxExtension; use Cms\Twig\Loader as TwigLoader; use Cms\Twig\DebugExtension; use Cms\Twig\Extension as CmsTwigExtension; @@ -23,6 +24,7 @@ use System\Helpers\View as ViewHelper; use System\Classes\CombineAssets; use System\Twig\Extension as SystemTwigExtension; +use System\Twig\SecurityPolicy; use October\Rain\Exception\AjaxException; use October\Rain\Exception\ValidationException; use October\Rain\Parse\Bracket as TextParser; @@ -608,6 +610,7 @@ protected function initTwigEnvironment() $this->twig = new TwigEnvironment($this->loader, $options); $this->twig->addExtension(new CmsTwigExtension($this)); $this->twig->addExtension(new SystemTwigExtension); + $this->twig->addExtension(new SandboxExtension(new SecurityPolicy, true)); if ($isDebugMode) { $this->twig->addExtension(new DebugExtension($this));
modules/system/ServiceProvider.php+3 −0 modified@@ -19,6 +19,7 @@ use System\Twig\Engine as TwigEngine; use System\Twig\Loader as TwigLoader; use System\Twig\Extension as TwigExtension; +use System\Twig\SecurityPolicy as TwigSecurityPolicy; use System\Models\EventLog; use System\Models\MailSetting; use System\Classes\CombineAssets; @@ -27,6 +28,7 @@ use October\Rain\Router\Helper as RouterHelper; use Illuminate\Pagination\Paginator; use Illuminate\Support\Facades\Schema; +use Twig\Extension\SandboxExtension; class ServiceProvider extends ModuleServiceProvider { @@ -297,6 +299,7 @@ protected function registerTwigParser() App::singleton('twig.environment', function ($app) { $twig = new TwigEnvironment(new TwigLoader, ['auto_reload' => true]); $twig->addExtension(new TwigExtension); + $twig->addExtension(new SandboxExtension(new TwigSecurityPolicy, true)); return $twig; });
modules/system/twig/SecurityPolicy.php+61 −0 added@@ -0,0 +1,61 @@ +<?php namespace System\Twig; + +use Twig\Markup; +use Twig\Template; +use Twig\Sandbox\SecurityPolicyInterface; +use Twig\Sandbox\SecurityNotAllowedMethodError; +use Twig\Sandbox\SecurityNotAllowedPropertyError; + +/** + * SecurityPolicy globally blocks accessibility of certain methods and properties. + * + * @package october\system + * @author Alexey Bobkov, Samuel Georges + */ +final class SecurityPolicy implements SecurityPolicyInterface +{ + protected $blockedProperties = []; + + protected $blockedMethods = [ + 'addDynamicMethod', + 'addDynamicProperty' + ]; + + public function __construct() + { + $this->setBlockedMethods($this->blockedMethods); + } + + public function setBlockedMethods(array $methods) + { + foreach ($this->blockedMethods as $i => $m) { + $this->blockedMethods[$i] = strtr($m, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'); + } + } + + public function checkSecurity($tags, $filters, $functions) + { + } + + public function checkMethodAllowed($obj, $method) + { + if ($obj instanceof Template || $obj instanceof Markup) { + return; + } + + $blockedMethod = strtr($method, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'); + + if (in_array($blockedMethod, $this->blockedMethods)) { + $class = get_class($obj); + throw new SecurityNotAllowedMethodError(sprintf('Calling "%s" method on a "%s" object is blocked.', $method, $class), $class, $method); + } + } + + public function checkPropertyAllowed($obj, $property) + { + if (in_array($property, $this->blockedProperties)) { + $class = get_class($obj); + throw new SecurityNotAllowedPropertyError(sprintf('Calling "%s" property on a "%s" object is blocked.', $property, $class), $class, $property); + } + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-94vp-rmqv-5875ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15247ghsaADVISORY
- github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982ghsax_refsource_MISCWEB
- github.com/octobercms/october/security/advisories/GHSA-94vp-rmqv-5875ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.