CVE-2019-9942

Name of the Vulnerable Software and Affected Versions Twig versions prior to 1.38.0 Twig versions 2.x prior to 2.7.0

Description A sandbox information disclosure issue exists because, under some circumstances, it is possible to call the toString() method on an object even if not allowed by the security policy in place. This could allow a remote attacker to access confidential data.

Recommendations For Twig versions prior to 1.38.0, update to version 1.38.0 or later. For Twig versions 2.x prior to 2.7.0, update to version 2.7.0 or later. As a temporary workaround, consider restricting access to objects that could be exploited through the toString() method until a patch is available.