CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24374: Twig fixes a security issue where escaping was missing when using null coalesce operator (??)

4.3 CVSS

Description

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

Classification

CVE ID: CVE-2025-24374

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: twigphp

Product: Twig

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.77% (scored less or equal to compared to others)

EPSS Date: 2025-02-28 (when was this score calculated)

References

https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3

Timeline

2025-01-29 19:15:18 UTC
Github Advisory Database (Composer)

[twig/twig] Twig security issue where escaping was missing when using null coalesce operator
2025-01-30 08:58:50 UTC
CVE

Twig fixes a security issue where escaping was missing when using null coalesce operator (??)