CVE-2025-24374

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-24374
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24374.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-24374
Aliases
Downstream
Published
2025-01-29T15:22:34.012Z
Modified
2025-12-02T08:01:56.056208Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Twig fixes a security issue where escaping was missing when using null coalesce operator (??)
Details

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

Database specific 
{
    "cwe_ids": [
        "CWE-74"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24374.json"
}
References

Affected packages

Git / github.com/twigphp/twig

Affected ranges

Type
GIT
Repo
https://github.com/twigphp/twig
Events
Introduced
475ad2dc97d65d8631393e721e7e44fb544f0561
Fixed
d4f8c2b86374f08efc859323dbcd95c590f7124e

Affected versions

v3.*

v3.16.0
v3.17.0
v3.17.1
v3.18.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24374.json"