Affected versions
Twig versions <3.26.0 of the Twig Intl Extra component are affected by this security issue.
The issue has been fixed in Twig 3.26.0.
Description
IntlExtension memoises every \IntlDateFormatter and
\NumberFormatter it creates in instance-level arrays keyed on a hash
that includes locale, pattern, attrs and other values that are
ordinary named arguments of the format_datetime / format_date /
format_time / format_number / format_currency filters. There is
no size limit and no eviction.
A template that iterates over many distinct pattern (or locale, or
grouping_used, ...) values therefore allocates one ICU formatter object
per distinct value and pins it for the entire lifetime of the
Twig\Environment. Because ICU allocates its backing buffers outside the
Zend memory manager, this growth is not bounded by memory_limit. On
long-running runtimes (RoadRunner, Swoole, FrankenPHP worker mode,
ReactPHP) where the Environment outlives a single request, the cache
also accumulates across requests.
Resolution
The formatter caches are now bounded in size (100 entries each) and evict on a FIFO basis.
Credits
We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.