Affected versions
Twig versions <3.26.0 are affected by this security issue.
The issue has been fixed in Twig 3.26.0.
Description
The Twig sandbox prevents untrusted templates from reaching code, data, methods, or properties they shouldn't. It does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list.
Resolution
This is by design: any limit baked into Twig itself would be both arbitrary and trivial to work around, since there are many ways a template can burn resources (large ranges, nested loops, large string operations, recursive macros, expensive filters, deeply nested includes, and so on). It would also give a false sense of safety.
If you render untrusted templates, you should contain them at the process
level rather than at the template-engine level. The Twig documentation now
describes this explicitly, along with a few ideas (PHP's memory_limit /
max_execution_time, isolated worker processes, OS-level limits) worth
considering depending on context.
See the Limiting Resource Usage section of the sandbox documentation.
Credits
We would like to thank Kai Aizen (Snailsploit) for reporting the issue.