8.6

CVSS Score

Basic Information

CVE ID

CVE-2024-45411

GHSA ID

GHSA-6j75-5wfj-gh66

EPSS Score

CWE

CWE-693

Published

9/9/2024

Updated

10/10/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45411

CVE-2024-45411:
Twig has a possible sandbox bypass

Description

Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.

The security issue happens when all these conditions are met:

The sandbox is disabled globally;
The sandbox is enabled via a sandboxed include() function which references a template name (like included.twig) and not a Template or TemplateWrapper instance;
The included template has been loaded before the include() call but in a non-sandbox context (possible as the sandbox has been globally disabled).

Resolution

The patch ensures that the sandbox security checks are always run at runtime.

Credits

We would like to thank Fabien Potencier for reporting and fixing the issue.

(GitHub Advisory)

8.6

CVSS Score

Basic Information

CVE ID

CVE-2024-45411

GHSA ID

GHSA-6j75-5wfj-gh66

EPSS Score

CWE

CWE-693

Published

9/9/2024

Updated

10/10/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
twig/twig	composer	>= 1.0.0, < 1.44.8	1.44.8
twig/twig	composer	>= 2.0.0, < 2.16.1	2.16.1
twig/twig	composer	>= 3.12.0, < 3.14.0	3.14.0
twig/twig	composer	>= 3.0.0, < 3.11.1	3.11.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how security checks were handled in the include() function. The original implementation (pre-patch) checked security during template preparation via a loop that only validated Template/TemplateWrapper instances. When including templates by name (not instances) that had been cached without sandbox context, these checks were skipped. The commit diff shows the security check (checkSecurity()) was moved from the preparation phase to the runtime phase after template loading, ensuring enforcement regardless of how the template was referenced. The test cases added in CoreTest.php validate that security errors now occur at runtime when preloading occurs, confirming the function's behavior was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription Un**r som* *ir*umst*n**s, t** s*n**ox s**urity ****ks *r* not run w*i** *llows us*r-*ontri*ut** t*mpl*t*s to *yp*ss t** s*n**ox r*stri*tions. T** s**urity issu* **pp*ns w**n *ll t**s* *on*itions *r* m*t: * T** s*n**ox is *is**l**

Reasoning

T** vuln*r**ility st*ms *rom *ow s**urity ****ks w*r* **n*l** in t** in*lu**() *un*tion. T** ori*in*l impl*m*nt*tion (pr*-p*t**) ****k** s**urity *urin* t*mpl*t* pr*p*r*tion vi* * loop t**t only v*li**t** T*mpl*t*/T*mpl*t*Wr*pp*r inst*n**s. W**n in*l

8.6

Basic Information

Concerned about an active attack path?

CVE-2024-45411: Twig has a possible sandbox bypass

Description

Resolution

Credits

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-45411:
Twig has a possible sandbox bypass

Vulnerability Intelligence
Miggo AI