Low severity2.2NVD Advisory· Published Nov 6, 2024· Updated Apr 15, 2026
CVE-2024-51755
CVE-2024-51755
Description
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the __isset() method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
twig/twigPackagist | < 3.11.2 | 3.11.2 |
twig/twigPackagist | >= 3.12, < 3.14.1 | 3.14.1 |
Patches
35b580ec1882bf405356d20fb831c148e7861Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jjxq-ff2g-95vhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-51755ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yamlghsaWEB
- github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21nvdWEB
- github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vhnvdWEB
- symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabledghsaWEB
News mentions
0No linked articles in our index yet.