DEBIAN-CVE-2025-24374

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-24374

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-24374.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-24374

Upstream

CVE-2025-24374

Published

2025-01-29T16:15:44.090Z

Modified

2025-11-14T04:08:28.501469Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

References

https://security-tracker.debian.org/tracker/CVE-2025-24374

Affected packages

Debian:11 / php-twig

Package

Name: php-twig
Purl: pkg:deb/debian/php-twig?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.14.3-1

2.14.3-1+deb11u1

2.14.3-1+deb11u2

2.14.3-1+deb11u3

2.14.3-1+deb11u4

3.*

3.0.0~beta1-1

3.0.0-1

3.0.0-2

3.0.1-1

3.0.3-1

3.0.4-1

3.0.5-1

3.1.1-1

3.2.1-1

3.3.0-1

3.3.2-1

3.3.3-1

3.3.3-2~stage1

3.3.3-2

3.3.3-3

3.3.4-1

3.3.6-1

3.3.7-1

3.3.8-1

3.3.8-2

3.3.9-1

3.4.1-1

3.4.2-1

3.4.3-1

3.4.3-2

3.5.0-1

3.5.1-1~bpo11+1

3.5.1-1

3.6.0-1

3.6.1-1

3.7.0-1

3.7.1-1

3.7.1-2

3.7.1-3

3.8.0-1

3.8.0-2

3.8.0-3

3.8.0-4

3.9.3-1

3.10.1-1

3.10.3-1

3.11.0-1

3.13.0-1

3.14.0-1

3.14.0-2

3.14.0-3

3.14.0-4

3.14.2-1

3.14.2-2

3.14.2-3

3.15.0-1

3.15.0-2

3.17.1-1

3.17.1-2

3.18.0-1

3.18.0-2

3.18.0-4

3.18.0-5

3.18.0-6

3.18.0-7

3.19.0-1~bootstrap

3.19.0-1

3.20.0-1~bootstrap

3.20.0-1

3.20.0-2

3.21.1-1

3.21.1-2

3.21.1-3

3.22.0-1

3.22.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-24374.json"

Debian:12 / php-twig

Package

Name: php-twig
Purl: pkg:deb/debian/php-twig?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.5.1-1

3.5.1-1+deb12u1

3.6.0-1

3.6.1-1

3.7.0-1

3.7.1-1

3.7.1-2

3.7.1-3

3.8.0-1

3.8.0-2

3.8.0-3

3.8.0-4

3.9.3-1

3.10.1-1

3.10.3-1

3.11.0-1

3.13.0-1

3.14.0-1

3.14.0-2

3.14.0-3

3.14.0-4

3.14.2-1

3.14.2-2

3.14.2-3

3.15.0-1

3.15.0-2

3.17.1-1

3.17.1-2

3.18.0-1

3.18.0-2

3.18.0-4

3.18.0-5

3.18.0-6

3.18.0-7

3.19.0-1~bootstrap

3.19.0-1

3.20.0-1~bootstrap

3.20.0-1

3.20.0-2

3.21.1-1

3.21.1-2

3.21.1-3

3.22.0-1

3.22.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-24374.json"

Debian:13 / php-twig

Package

Name: php-twig
Purl: pkg:deb/debian/php-twig?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.19.0-1~bootstrap

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-24374.json"

Debian:14 / php-twig

Package

Name: php-twig
Purl: pkg:deb/debian/php-twig?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.19.0-1~bootstrap

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-24374.json"