DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24425: CVE-2026-24425: Remote Code Execution via Sandbox Bypass in Twig Template Engine

#security #cve #cybersecurity

CVE-2026-24425: Remote Code Execution via Sandbox Bypass in Twig Template Engine

Vulnerability ID: CVE-2026-24425
CVSS Score: 8.8
Published: 2026-06-05

CVE-2026-24425 is a high-severity sandbox bypass vulnerability in the Twig template engine (affecting versions 2.16.x and 3.9.0 through 3.25.x). The flaw arises when dynamic sandboxing is enabled via a SourcePolicyInterface. During runtime checks of callback-accepting filters (such as map, sort, filter, and reduce), Twig queries the global sandbox status instead of the active template's context. This mismatch allows template authors to pass arbitrary PHP string callables to executive functions, resulting in unauthenticated or low-privilege Remote Code Execution (RCE) on the host.

TL;DR

A dynamic sandbox bypass in Twig (CVE-2026-24425) allows remote code execution because runtime checks fail to propagate the active template's source context to filters like map or sort, allowing arbitrary PHP callables to run.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-693
  • Attack Vector: Network
  • CVSS v3.1: 8.8
  • EPSS Score: 0.00114
  • Exploit Status: Proof-of-Concept
  • CISA KEV Status: No

Affected Systems

  • Twig PHP template engine within multi-tenant frameworks
  • Symfony installations utilizing dynamic template sandboxing configurations
  • CMS frameworks executing dynamic custom templates using SourcePolicyInterface
  • Twig: >= 2.16.0, <= 2.16.1 (Fixed in: N/A)
  • Twig: >= 3.9.0, <= 3.25.1 (Fixed in: 3.26.0)

Code Analysis

Commit: c8dfd62

security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing

Exploit Details

  • GitHub: Twig sandbox bypass details and vulnerability POC tests within advisory

Mitigation Strategies

  • Upgrade the Twig library to version 3.26.0 or newer.
  • Enforce global sandboxing on the Twig environment instead of using SourcePolicyInterface dynamic rules.
  • Implement inputs validation on templates to reject filters with string parameters.
  • Configure WAF rules to detect and drop input payloads containing suspicious callback-filter strings.

Remediation Steps:

  1. Run 'composer show twig/twig' to identify the active version in production environments.
  2. Update Composer configuration to require 'twig/twig: ^3.26' and execute 'composer update twig/twig'.
  3. Perform regression testing on all user-controlled templates to verify that runtime closures operate correctly under the strict sandbox policy.
  4. Audit custom dynamic policy code to ensure strict checking of user inputs prior to compilation.

References

Read the full report for CVE-2026-24425 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)