CVE-2024-45411 - How Twig's Sandbox Flaw let Hackers Slip Through (with Code, Exploit, and Fix Details)

Twig is one of the most popular template engines for PHP. It helps make website templates safe and simple—especially when users can contribute their own templates. To keep things secure, Twig has a "sandbox" feature to block users from running dangerous code.

But in May 2024, a serious vulnerability—CVE-2024-45411—was discovered. Under certain conditions, Twig would forget to run the sandbox security checks entirely. Hackers could then bypass all restrictions and execute PHP functions, open files, or even take over servers.

What is Twig's Sandbox?

The "sandbox" in Twig is meant to stop user templates from running unsafe PHP code. It blocks things like:

Here's how you'd usually set up sandboxing in PHP

use Twig\Sandbox\SecurityPolicy;
use Twig\Environment;
use Twig\Loader\ArrayLoader;

$policy = new SecurityPolicy(
    ['foo'],     // allowed tags
    ['upper'],   // allowed filters
    [],          // allowed methods
    [],          // allowed properties
    []           // allowed functions
);

$sandbox = new \Twig\Extension\SandboxExtension($policy);

$twig = new Environment(new ArrayLoader([]));
$twig->addExtension($sandbox);

What Went Wrong: The Flaw

In Twig versions earlier than 1.44.8, 2.16.1, or 3.14., sandbox checks could be skipped in certain scenarios. This happens, for example, if you set the sandbox after creating a template, or if templates are cached in a certain way.

Imagine someone uploads a template. Instead of running with restrictions, Twig executes it with full power. The result: attackers can run PHP code, dump secrets, or even get remote code execution.

Suppose the Twig environment is not sandboxed when injecting a user template

$template = $twig->createTemplate('{{ constant("php_uname")() }}'); // user provided
echo $template->render([]);

If sandbox failed

- The attacker could use constants or functions (php_uname())—which should be blocked—returning system info.

`twig

{{ constant("system")("ls /") }}

A full proof of concept (PoC) might look like

// Unsafe: user controls the $templateCode
$templateCode = '{{ constant("file_get_contents")("/etc/passwd") }}';

$template = $twig->createTemplate($templateCode);
echo $template->render([]);

If the flawed sandbox is present, this will print the private /etc/passwd file, which should never be visible.

Third-party themes: Malicious templates could leak secrets.

- Plugins/modules: Those using Twig to render user content could become a backdoor.

Twig 3.13.2 and earlier

If you use any custom sandbox setup or render untrusted templates, you must update.

The Twig team pushed fixes in

- Twig 1.44.8
- Twig 2.16.1
- Twig 3.14.

To patch: Run

composer update twig/twig

Make sure you land on version 1.44.8, 2.16.1, or 3.14.+.

Additional References

- GHSA-3w5m-xfx7-9r6f Security Advisory
- Twig Changelog
- Twig Sandbox Docs

Conclusion

CVE-2024-45411 shows the risk of assuming security layers "just work." If you run Twig and allow user templates, update immediately and review how you enable sandboxing. Don't give hackers a free pass—they love when the guards fall asleep.

Timeline

Published on: 09/09/2024 19:15:13 UTC
Last modified on: 09/10/2024 12:09:50 UTC