VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 30, 2020· Updated Aug 4, 2024

CVE-2020-28925

CVE-2020-28925

Description

Bolt CMS before 3.7.2 fails to restrict filter options on the Request object in Twig, enabling potential crafted attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bolt CMS before 3.7.2 fails to restrict filter options on the Request object in Twig, enabling potential crafted attacks.

Vulnerability

Overview

CVE-2020-28925 affects Bolt CMS versions prior to 3.7.2, where the Twig context does not restrict filter options on the Request object. This oversight means the application is inconsistent with the recommended "How to Harden Your PHP for Better Security" guidance, which advises limiting the ability to apply arbitrary filters to request parameters [1].

Exploitation

Details

The vulnerability resides in the way the Request object is exposed in Twig templates. Without proper restriction, an attacker who can influence Twig template processing—perhaps by injecting template variables or through other means that allow control over template expressions—could potentially invoke filters on the request parameters that should be disallowed [2]. The commit addressing this issue (c0cd530) introduces a dedicated ParameterBag and FileBag class that restrict the available filter functions, and adds a special case in the offsetGet method to return a sanitized version of the request object [2].

Impact

If successfully exploited, an attacker may be able to bypass intended restrictions on filter usage, leading to unexpected behavior in the application. The specific consequences depend on which filters are abused, but could include information disclosure or other actions that compromise the security of the CMS [3]. The fix was released in Bolt 3.7.2, which replaces the raw request object with one that enforces a restricted filter set.

Mitigation

Users should upgrade to Bolt 3.7.2 or later immediately [3]. There are no known workarounds besides applying the patch. Bolt is no longer actively maintained (the repository was archived in 2026), so administrators running older versions should plan to migrate to an alternative CMS if an upgrade is not possible.

References
  1. NVD - CVE-2020-28925
  2. Restrict `filter` options in `Request` in Twig context · bolt/bolt@c0cd530
  3. Comparing 3.7.1...3.7.2 · bolt/bolt

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bolt/boltPackagist
< 3.7.23.7.2

Affected products

2

Patches

1
c0cd530e78c2

Restrict `filter` options in `Request` in Twig context

https://github.com/bolt/boltXiao Hu TaiOct 16, 2020via ghsa
commit
5 files changed · +160 0
  • src/Twig/ArrayAccessSecurityProxy.php+13 0 modified
    @@ -72,6 +72,19 @@ public function offsetGet($offset)
     {
         $this->sandbox->checkPropertyAllowed($this, $offset);
 
+        if ($offset === 'request') {
+            $request = $this->object[$offset];
+
+            $request->request = new Request\ParameterBag($request->request->all());
+            $request->query = new Request\ParameterBag($request->query->all());
+            $request->attributes = new Request\ParameterBag($request->attributes->all());
+            $request->cookies = new Request\ParameterBag($request->cookies->all());
+            $request->files = new Request\FileBag($request->files->all());
+            $request->server = new Request\ServerBag($request->server->all());
+
+            return $request;
+        }
+
         return $this->object[$offset];
     }
  • src/Twig/Request/FileBag.php+15 0 added
    @@ -0,0 +1,15 @@
+<?php
+
+namespace Bolt\Twig\Request;
+
+/**
+ * ParameterBag is a container for key/value pairs.
+ * Overridden in order to disable certain filters.
+ *
+ * @author Xiao-Hu Tai <xiao@twokings.nl>
+ * @author Fabien Potencier <fabien@symfony.com>
+ */
+class FileBag extends \Symfony\Component\HttpFoundation\FileBag implements \IteratorAggregate, \Countable
+{
+    use RestrictedFilterTrait;
+}
  • src/Twig/Request/ParameterBag.php+15 0 added
    @@ -0,0 +1,15 @@
+<?php
+
+namespace Bolt\Twig\Request;
+
+/**
+ * ParameterBag is a container for key/value pairs.
+ * Overridden in order to disable certain filters.
+ *
+ * @author Xiao-Hu Tai <xiao@twokings.nl>
+ * @author Fabien Potencier <fabien@symfony.com>
+ */
+class ParameterBag extends \Symfony\Component\HttpFoundation\ParameterBag implements \IteratorAggregate, \Countable
+{
+    use RestrictedFilterTrait;
+}
  • src/Twig/Request/RestrictedFilterTrait.php+102 0 added
    @@ -0,0 +1,102 @@
+<?php
+
+namespace Bolt\Twig\Request;
+
+/**
+ * Override filter function in order to restrict certain options in Twig context.
+ * The list of restricted options are taken from "How to Harden Your PHP for
+ * Better Security" [1].
+ *
+ * [1] https://howtogetonline.com/how-to-harden-your-php-for-better-security.php
+ *
+ * @author Xiao-Hu Tai <xiao@twokings.nl>
+ */
+trait RestrictedFilterTrait
+{
+    /** @var array */
+    private $restrictedOptions = [
+        '_getppid',
+        'allow_url_fopen',
+        'allow_url_include',
+        'chgrp',
+        'chmod',
+        'chown',
+        'curl_exec',
+        'curl_multi_exec',
+        'diskfreespace',
+        'dl',
+        'exec',
+        'fpaththru',
+        'getmypid',
+        'getmyuid',
+        'highlight_file',
+        'ignore_user_abord',
+        'ini_set',
+        'lchgrp',
+        'lchown',
+        'leak',
+        'link',
+        'listen',
+        'parse_ini_file',
+        'passthru',
+        'pcntl_exec',
+        'php_uname',
+        'phpinfo',
+        'popen',
+        'posix_ctermid',
+        'posix_getcwd',
+        'posix_getegid',
+        'posix_geteuid',
+        'posix_getgid',
+        'posix_getgrgid',
+        'posix_getgrnam',
+        'posix_getgroups',
+        'posix_getlogin',
+        'posix_getpgid',
+        'posix_getpgrp',
+        'posix_getpid',
+        'posix_getpwnam',
+        'posix_getpwuid',
+        'posix_getrlimit',
+        'posix_getsid',
+        'posix_getuid',
+        'posix_isatty',
+        'posix_kill',
+        'posix_mkfifo',
+        'posix_setegid',
+        'posix_seteuid',
+        'posix_setgid',
+        'posix_setpgid',
+        'posix_setsid',
+        'posix_setuid',
+        'posix_times',
+        'posix_ttyname',
+        'posix_uname',
+        'posix',
+        'proc_close',
+        'proc_get_status',
+        'proc_nice',
+        'proc_open',
+        'proc_terminate',
+        'putenv',
+        'set_time_limit',
+        'shell_exec',
+        'show_source',
+        'source',
+        'system',
+        'tmpfile',
+        'virtual',
+    ];
+
+    /**
+     * {@inheritdoc}
+     */
+    public function filter($key, $default = null, $filter = FILTER_DEFAULT, $options = array(), $deep = false)
+    {
+        if (isset($options['options']) && in_array($options['options'], $this->restrictedOptions)) {
+            unset($options['options']);
+        }
+
+        return parent::filter($key, $default, $filter, $options, $deep);
+    }
+}
  • src/Twig/Request/ServerBag.php+15 0 added
    @@ -0,0 +1,15 @@
+<?php
+
+namespace Bolt\Twig\Request;
+
+/**
+ * ParameterBag is a container for key/value pairs.
+ * Overridden in order to disable certain filters.
+ *
+ * @author Xiao-Hu Tai <xiao@twokings.nl>
+ * @author Fabien Potencier <fabien@symfony.com>
+ */
+class ServerBag extends \Symfony\Component\HttpFoundation\ServerBag implements \IteratorAggregate, \Countable
+{
+    use RestrictedFilterTrait;
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.