GHSA-mm6w-gr99-p3jjHigh

Twig: Sandbox property and method bypass via object-destructuring assignment

Published
May 21, 2026
Last Modified
May 21, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

The object-destructuring assignment syntax introduced in Twig 3.24.0 generates a call to CoreExtension::getAttribute() with the $sandboxed argument hardcoded to false, regardless of whether a SandboxExtension is active. This permanently disables the sandbox's property and method policy checks for every destructuring expression.

ObjectDestructuringSetBinary::compile() emits:

CoreExtension::getAttribute($this->env, $this->source, ..., \Twig\Template::ANY_CALL, false, false, false, ...);
//                                                                                ^^^^^
//                                                                       sandbox check never runs

Whereas GetAttrExpression::compile() correctly passes $env->hasExtension(SandboxExtension::class).

An attacker with write access to a sandboxed Twig template can read any public property or invoke any public getter on objects passed to the template engine, bypassing SecurityPolicy restrictions. The exploit requires only the {% do %} tag to be in allowedTags, which is a common configuration.

Resolution

The destructuring compiler now forwards the active sandbox flag to getAttribute() so property/method allowlists are enforced.

Credits

Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting and fixing the issue.

🎯 Affected products1

  • composer/twig/twig:>= 3.24.0, < 3.26.0

🔗 References (4)