7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39261

GHSA ID

GHSA-52m2-vc4m-jj33

EPSS Score

0.79021%

CWE

CWE-22

Published

9/30/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39261

CVE-2022-39261:
Twig may load a template outside a configured directory when using the filesystem loader

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39261

GHSA ID

GHSA-52m2-vc4m-jj33

EPSS Score

0.79021%

CWE

CWE-22

Published

9/30/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
twig/twig	composer	>= 1.0.0, < 1.44.7	1.44.7
twig/twig	composer	>= 2.0.0, < 2.15.3	2.15.3
twig/twig	composer	>= 3.0.0, < 3.4.3	3.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper validation order in the filesystem loader. The commit diff shows that validateName() was called on the full $name before parsing it into namespace/shortname. This allowed malicious namespaces like '@somewhere/../' to bypass validation. The fix moved validation to $shortname after parsing, proving the original function's validation logic was flawed. The FilesystemLoader::findTemplate method is directly implicated in the security advisory's description of namespace-based path traversal.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# **s*ription W**n usin* t** *il*syst*m lo***r to lo** t*mpl*t*s *or w*i** t** n*m* is * us*r input, it is possi*l* to us* t** `sour**` or `in*lu**` st*t*m*nt to r*** *r*itr*ry *il*s *rom outsi** t** t*mpl*t*s *ir**tory w**n usin* * n*m*sp*** lik* `

Reasoning

T** vuln*r**ility st*mm** *rom improp*r `v*li**tion` or**r in t** *il*syst*m lo***r. T** *ommit *i** s*ows t**t `v*li**t*N*m*()` w*s **ll** on t** *ull $n*m* ***or* p*rsin* it into `n*m*sp***/s*ortn*m*`. T*is *llow** m*li*ious n*m*sp***s lik* '@som*w

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-39261: Twig may load a template outside a configured directory when using the filesystem loader

Description

Resolution

Credits

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-39261:
Twig may load a template outside a configured directory when using the filesystem loader

Vulnerability Intelligence
Miggo AI