CVE-2022-39261

Name of the Vulnerable Software and Affected Versions Twig versions 1.x prior to 1.44.7 Twig versions 2.x prior to 2.15.3 Twig versions 3.x prior to 3.4.3

Description The issue arises when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates' directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed.

Recommendations For versions 1.x prior to 1.44.7, update to version 1.44.7 or later. For versions 2.x prior to 2.15.3, update to version 2.15.3 or later. For versions 3.x prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider restricting the use of the source and include statements with user-input template names until a patch is available.