CVE-2024-45411: 
PHP vulnerability analysis and mitigation

CVE-2024-45411 affects Twig, a template language for PHP. The vulnerability allows user-contributed templates to bypass sandbox restrictions when security checks are not properly executed. This security flaw was discovered and fixed in September 2024, affecting versions 1.0.0 through 1.44.7, 2.0.0 through 2.16.0, and 3.0.0 through 3.13.0. The issue has been patched in versions 1.44.8, 2.16.1, and 3.14.0 (GitHub Advisory).

The vulnerability occurs under specific conditions: when the sandbox is globally disabled, the sandbox is enabled via a sandboxed include() function referencing a template by name rather than a Template or TemplateWrapper instance, and the included template has been previously loaded in a non-sandbox context. The vulnerability has been assigned a CVSS v3.1 score of 8.6 (High) by NIST and 8.5 (High) by GitHub, indicating its serious nature (NVD).

When exploited, this vulnerability allows attackers to bypass sandbox restrictions in Twig templates, potentially leading to unauthorized code execution and security control circumvention. This could result in significant security implications for applications relying on Twig's sandbox feature for template security (Security Online).

The recommended mitigation is to upgrade to the patched versions: Twig 1.44.8, 2.16.1, or 3.14.0. The patch ensures that sandbox security checks are always executed at runtime, regardless of the template loading context. Various distributions have also released security updates, including Debian which has addressed the issue in version 2.14.3-1+deb11u3 (Debian LTS).