CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array in Twig

2.2 CVSS

Description

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

Classification

CVE ID: CVE-2024-51754

CVSS Base Severity: LOW

CVSS Base Score: 2.2

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-668: Exposure of Resource to Wrong Sphere

Affected Products

Vendor: twigphp

Product: Twig

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 20.37% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-51754
https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73

Timeline

2025-05-29 10:40:12 UTC
CVE

Unguarded calls to __toString() when nesting an object into an array in Twig