Twig CVE-2025-24374: Missing output escaping for the null coalesce operator

Affected versions

Twig versions >=3.16.0,<3.19.0 are affected by this security issue.

The issue has been fixed in Twig 3.19.0.

Description

Created 3mo | Jan 29, 2025, 9:40:06 AM

Other posts in this group

Symfony 7.2.6 has just been released. Here is the list of the most important changes since 7.2.5:

bug #60288 [VarExporter] dump default value for property hooks if present (@xabbuh)

bug #60267 [C

May 2, 2025, 12:40:05 PM | Symfony

Symfony 7.3.0-BETA1 has just been released. Here is the list of the most important changes since 7.2:

feature #60232 Add PHP config support for routing (@fabpot)

feature #60102 [HttpFoundation] A

May 2, 2025, 12:40:04 PM | Symfony

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

May 2, 2025, 12:40:03 PM | Symfony

Contributed by Kevin Bond in

May 2, 2025, 10:20:09 AM | Symfony

Symfony 6.4.21 has just been released. Here is the list of the most important changes since 6.4.20:

bug #60288 [VarExporter] dump default value for property hooks if present (@xabbuh)

bug #60268

May 2, 2025, 10:20:08 AM | Symfony

Contributed by Nathan Page in

May 1, 2025, 8:40:12 AM | Symfony

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

Apr 30, 2025, 2:20:02 PM | Symfony

Techie