Low severity2.2NVD Advisory· Published Nov 6, 2024· Updated Apr 15, 2026
CVE-2024-51754
CVE-2024-51754
Description
Twig is a template language for PHP. In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
twig/twigPackagist | < 3.11.2 | 3.11.2 |
twig/twigPackagist | >= 3.12, < 3.14.1 | 3.14.1 |
Patches
35b580ec1882bf405356d20fb2bb8c2460a2cVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6377-hfv9-hqf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-51754ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yamlghsaWEB
- github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73nvdWEB
- github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6nvdWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00039.htmlnvdWEB
- symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-arrayghsaWEB
News mentions
0No linked articles in our index yet.