CVE-2025-24374 Overview
CVE-2025-24374 is a Cross-Site Scripting (XSS) vulnerability affecting Twig, a popular template language for PHP. The vulnerability exists due to missing output escaping when using the null-coalesce (??) operator. Specifically, the expression on the left side of the ?? operator was not being properly escaped, which could allow attackers to inject malicious scripts into rendered pages.
Critical Impact
Applications using Twig templates with the ?? operator may be vulnerable to XSS attacks if user-controlled data is passed through the left-hand expression, potentially leading to session hijacking, credential theft, or malicious content injection.
Affected Products
- Twig versions prior to 3.19.0
- PHP applications using vulnerable Twig template engine versions
- Web applications leveraging Twig's null-coalesce operator with user-supplied input
Discovery Timeline
- 2025-01-29 - CVE-2025-24374 published to NVD
- 2025-01-29 - Last updated in NVD database
Technical Details for CVE-2025-24374
Vulnerability Analysis
This vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly referred to as an Injection vulnerability. The flaw resides in Twig's handling of the null-coalesce binary operator (??), which is used to provide default values when a variable is null or undefined.
The issue occurs within the NullCoalesceBinary.php component, where the implementation failed to properly escape output for the left-hand expression of the ?? operator. While Twig typically applies auto-escaping to prevent XSS attacks, this specific code path bypassed the escaping mechanism, creating a potential injection point.
When a template contains an expression like {{ user_input ?? 'default' }}, the user_input variable should be HTML-escaped before rendering. However, due to this bug, malicious HTML or JavaScript in user_input could be rendered without sanitization, enabling XSS attacks against users viewing the affected pages.
Root Cause
The root cause lies in the NullCoalesceBinary class implementation within Twig's expression handling. The class implements OperatorEscapeInterface, which should ensure proper escaping of output. However, the left-hand operand of the null-coalesce operation was not being processed through the escape filter chain, allowing raw, unescaped content to pass through to the final rendered output.
Attack Vector
This vulnerability is exploitable over the network and requires user interaction (such as clicking a malicious link or visiting a compromised page). An attacker could craft input containing malicious JavaScript that, when processed through a Twig template using the ?? operator, would execute in the victim's browser context. The attack does not require authentication and could be leveraged for:
- Session cookie theft
- Keylogging and credential harvesting
- Defacement or content manipulation
- Redirection to malicious sites
# 3.19.0 (2025-XX-XX)
+ * Fix a security issue where escaping was missing when using `??`
* Deprecate `Token::getType()`, use `Token::test()` instead
* Add `Token::toEnglish()`
* Add `ForElseNode`
Source: GitHub Commit - Twig Update
Detection Methods for CVE-2025-24374
Indicators of Compromise
- Review web application logs for unusual URL parameters or POST data containing HTML tags or JavaScript code
- Monitor for unexpected <script> tags or event handlers (e.g., onerror, onclick) in request parameters
- Check for error messages indicating template rendering issues after XSS payloads are submitted
- Audit user-generated content for suspicious JavaScript or HTML injection patterns
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect common XSS payloads in request parameters
- Use static code analysis tools to identify Twig templates utilizing the ?? operator with user-controlled variables
- Deploy Content Security Policy (CSP) headers to mitigate successful XSS exploitation and alert on violations
- Conduct regular dependency audits using tools like Composer's audit command to identify vulnerable Twig versions
Monitoring Recommendations
- Enable CSP reporting to capture attempted XSS attacks and policy violations
- Monitor application error logs for template rendering exceptions that may indicate exploitation attempts
- Implement real-time alerting on WAF detections related to XSS patterns targeting PHP applications
- Track outbound requests from client browsers that may indicate successful XSS exploitation (data exfiltration)
How to Mitigate CVE-2025-24374
Immediate Actions Required
- Update Twig to version 3.19.0 or later immediately to address this vulnerability
- Review all Twig templates using the ?? operator for potential exposure to user-controlled input
- Implement input validation and sanitization for all user-supplied data processed by templates
- Deploy or strengthen Content Security Policy headers to reduce XSS impact
Patch Information
The vulnerability has been fixed in Twig version 3.19.0. The security patch modifies the NullCoalesceBinary.php file to ensure proper output escaping for the left-hand expression of the null-coalesce operator. The fix can be reviewed in the GitHub Commit. Additional details are available in the GitHub Security Advisory GHSA-3xg3-cgvq-2xwr.
Workarounds
- Manually escape variables before using them with the ?? operator: {{ variable|e ?? 'default' }}
- Implement strict Content Security Policy headers to prevent inline script execution
- Use input validation to reject or sanitize HTML/JavaScript content in user-supplied data before template processing
# Update Twig using Composer
composer require "twig/twig:^3.19.0"
# Verify the installed version
composer show twig/twig | grep versions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
