Twig >1.0.0,<1.44.7 || >2.0.0,<2.15.3 || >3.0.0,<3.4.3 are affected by this security issue.
The issue has been fixed in Twig 1.44.7, 2.15.3 and 3.4.3.
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.