2.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-51755

GHSA ID

GHSA-jjxq-ff2g-95vh

EPSS Score

0.18245%

CWE

CWE-668

Published

11/6/2024

Updated

11/12/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-51755

CVE-2024-51755: Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled

Description

In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the __isset() method is now called after the security check. This is a BC break.

Resolution

The sandbox mode now ensures access to array-like's properties is allowed.

The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.

Credits

We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.

(GitHub Advisory)

2.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-51755

GHSA ID

GHSA-jjxq-ff2g-95vh

EPSS Score

0.18245%

CWE

CWE-668

Published

11/6/2024

Updated

11/12/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
twig/twig	composer	< 3.11.2	3.11.2
twig/twig	composer	>= 3.12, < 3.14.1	3.14.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) In CoreExtension::getAttribute, security checks for property access were performed after isset()/array access checks, potentially triggering __isset() methods before policy validation. 2) In GetAttrExpression::compile, the generated code for array accesses didn't properly restrict non-native ArrayAccess implementations. The commit diff shows security checks were moved before isset() checks and array-like class validation was added, confirming these were the vulnerable paths. The test cases added (MagicObject/ArrayLikeObject) specifically target these scenarios.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription In * s*n**ox, *n* *tt**k*r **n ****ss *ttri*ut*s o* *rr*y-lik* o*j**ts *s t**y w*r* not ****k** *y t** s**urity poli*y. T**y *r* now ****k** vi* t** prop*rty poli*y *n* t** `__iss*t()` m*t*o* is now **ll** **t*r t** s**urity ****k. *

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) In `*or**xt*nsion::**t*ttri*ut*`, s**urity ****ks *or prop*rty ****ss w*r* p*r*orm** **t*r `iss*t()`/*rr*y ****ss ****ks, pot*nti*lly tri***rin* `__iss*t()` m*t*o*s ***or* poli*y v*li**tion. *) In `**

2.2

Basic Information

Concerned about an active attack path?

CVE-2024-51755: Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled

Description

Resolution

Credits

2.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI