Symfony 6 Certification New exam with updated questions 100% online Show your expertise

Twig: Sandbox Information Disclosure

Affected versions

Twig 1.0.0 to 1.37.1 and 2.0.0 to 2.6.2 are affected by this security issue.

The issue has been fixed in Twig 1.38.0 and 2.7.0.


This vulnerability affects the sandbox mode of Twig. If you are not using the sandbox, your code is not affected.

Twig allows the evaluation of non-trusted templates in a sandbox, where everything is forbidden if not explicitly allowed by a sandbox policy (tags, filters, functions, method calls, ...).

For instance, {% if true %}...{% endif %} is not allowed in a sandbox if the if tag has not been explicitly allowed in the sandbox policy.

There is an edge case related to how PHP works. When using {{ var }} with var being an object, PHP will automatically cast the object to a string (echo $var is equivalent to echo $var->__toString()).

If you don't allow __toString() on the class of var, this code will throw a sandbox policy exception.

But unfortunately, the protection against calling __toString() only works for simple cases like the one mentioned above. It does not work on the following template for instance: {{var|upper }} where __toString() will be called even if not part of the policy.

As __toString() is sometimes used in classes to return some debug information, bypassing the policy might disclose sensitive information like database entry ids, usernames, or more.


I have rewritten the current strategy that prevents __toString() to be called when not whitelisted with a different approach that tries to spot when PHP will cast objects to strings automatically (echo is one of them, concatenation is another one). The patch for this issue is available here for the 1.x branch.


I found this issue while working on Twig 3.x, and I provided a patch to fix the issue. I'd like to thank the Symfony core team for the patch review.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.
If you have found a security issue in Symfony, please send the details to security [at] and don't disclose it publicly until we can provide a fix for it.
Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


It would be very nice to bump the requirements in symfony/twig-bridge (^1.37.1|^2.6.2).

Thank you
Sorry, forget my previous comment, it's ok!

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.