CVE-2024-51754: 
PHP vulnerability analysis and mitigation

Twig, a template language for PHP, disclosed a security vulnerability (CVE-2024-51754) on November 6, 2024. The vulnerability allows attackers to call __toString() on an object in a sandbox environment, even when this method is not permitted by the security policy, specifically when the object is part of an array or an argument list (GitHub Advisory).

The vulnerability affects Twig versions prior to 3.11.2 and versions between 3.12 and 3.14.1. It has been assigned a CVSS v3.1 base score of 2.2 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N. The issue specifically occurs when objects are included in arrays or passed as arguments to functions or filters, bypassing the sandbox security policy for the __toString() method (GitHub Advisory).

The vulnerability allows unauthorized access to the __toString() method, potentially leading to information disclosure. The impact is considered low due to the high attack complexity and required privileges, with only confidentiality being affected while integrity and availability remain uncompromised (GitHub Advisory).

The vulnerability has been patched in Twig versions 3.11.2 and 3.14.1. Users are advised to upgrade to these patched versions. The fix implements proper checking of the __toString() method call on all objects within the sandbox mode. There are no known workarounds for this issue (GitHub Advisory, Twig Commit).