{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24374", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-20T15:18:26.992Z", "datePublished": "2025-01-29T15:22:34.012Z", "dateUpdated": "2025-01-29T15:44:49.358Z"}, "containers": {"cna": {"title": "Twig fixes a security issue where escaping was missing when using null coalesce operator (??)", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr"}, {"name": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3", "tags": ["x_refsource_MISC"], "url": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3"}], "affected": [{"vendor": "twigphp", "product": "Twig", "versions": [{"version": ">= 3.16.0, < 3.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-29T15:22:34.012Z"}, "descriptions": [{"lang": "en", "value": "Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0."}], "source": {"advisory": "GHSA-3xg3-cgvq-2xwr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-29T15:44:45.378845Z", "id": "CVE-2025-24374", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T15:44:49.358Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24374", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-29T15:44:45.378845Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T15:44:00.628Z"}}], "cna": {"title": "Twig fixes a security issue where escaping was missing when using null coalesce operator (??)", "source": {"advisory": "GHSA-3xg3-cgvq-2xwr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "twigphp", "product": "Twig", "versions": [{"status": "affected", "version": ">= 3.16.0, < 3.19.0"}]}], "references": [{"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr", "name": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3", "name": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-29T15:22:34.012Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24374", "state": "PUBLISHED", "dateUpdated": "2025-01-29T15:44:49.358Z", "dateReserved": "2025-01-20T15:18:26.992Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-29T15:22:34.012Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0."}, {"lang": "es", "value": "Twig es un lenguaje de plantillas para PHP. Al utilizar el operador ??, no se pod\u00eda escapar la salida de la expresi\u00f3n del lado izquierdo del operador. Esta vulnerabilidad se ha corregido en la versi\u00f3n 3.19.0."}], "id": "CVE-2025-24374", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-29T16:15:44.090", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3"}, {"source": "security-advisories@github.com", "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}