Medium severity4.3NVD Advisory· Published Jan 29, 2025· Updated Apr 15, 2026
CVE-2025-24374
CVE-2025-24374
Description
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
twig/twigPackagist | >= 3.16.0, < 3.19.0 | 3.19.0 |
Patches
2d4f8c2b8637438576b12f05dVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3xg3-cgvq-2xwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24374ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yamlghsaWEB
- github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3nvdWEB
- github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwrnvdWEB
- symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operatorghsaWEB
News mentions
0No linked articles in our index yet.