Twig may load a template outside a configured directory when using the filesystem loader
Description
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates' directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-39261 allows path traversal in Twig's filesystem loader, enabling arbitrary file read via template names with namespace traversal.
Vulnerability
CVE-2022-39261 is a path traversal vulnerability in the Twig template engine for PHP, affecting versions 1.x before 1.44.7, 2.x before 2.15.3, and 3.x before 3.4.3. When the filesystem loader processes template names supplied as user input, validation of template paths is insufficient. An attacker can use a namespace syntax such as @somewhere/../some.file to bypass directory restrictions and read arbitrary files outside the intended templates directory [1][4].
Exploitation
The attack requires that the application passes untrusted user input directly as the template name to the filesystem loader. This can occur through source or include statements in Twig templates. The attacker does not need authentication if the application exposes template loading to unauthenticated users, although many deployments require some level of access to write or influence template names [1]. The vulnerability is particularly relevant in content management systems like Drupal, where administrative users with permission to write Twig code can trigger the path traversal [3].
Impact
Successful exploitation allows an attacker to read arbitrary files on the server, such as configuration files, source code, or database credentials. This information disclosure can lead to further compromise of the application or underlying system. The vulnerability is rated high severity due to the potential for sensitive data exposure [1][4].
Mitigation
Twig has released fixed versions: 1.44.7, 2.15.3, and 3.4.3 [1][4]. Drupal core users should update to Drupal 9.3.22 or 9.4.7, as Drupal uses Twig and issued a related security advisory (SA-CORE-2022-016) [3]. No workarounds exist other than upgrading. Users of the unsupported 1.x branch should upgrade to the patched 1.44.7 release [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
twig/twigPackagist | >= 1.0.0, < 1.44.7 | 1.44.7 |
twig/twigPackagist | >= 2.0.0, < 2.15.3 | 2.15.3 |
twig/twigPackagist | >= 3.0.0, < 3.4.3 | 3.4.3 |
Affected products
3- osv-coords2 versions
>= 8.0.0, < 9.3.22+ 1 more
- (no CPE)range: >= 8.0.0, < 9.3.22
- (no CPE)range: >= 1.0.0, < 1.44.7
- twigphp/Twigv5Range: => 1.0.0, < 1.44.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- github.com/advisories/GHSA-52m2-vc4m-jj33ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-39261ghsaADVISORY
- www.debian.org/security/2022/dsa-5248ghsavendor-advisoryWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-39261.yamlghsaWEB
- github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0bghsaWEB
- github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33ghsaWEB
- lists.debian.org/debian-lts-announce/2022/10/msg00016.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NRghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7FghsaWEB
- symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loaderghsaWEB
- www.drupal.org/sa-core-2022-016ghsaWEB
News mentions
0No linked articles in our index yet.