Affected versions
Twig versions <3.26.0 are affected by this security issue.
The issue has been fixed in Twig 3.26.0.
Description
Compiler::string() escapes ", $, \, NUL and TAB when
generating PHP double-quoted string literals, but does not escape single
quotes. In ModuleNode::compileConstructor(), the template name from a
{% use %} tag is compiled via subcompile() -> string() and
placed inside a surrounding PHP single-quoted string literal. A template
name containing a single quote terminates that surrounding string early,
allowing arbitrary PHP expressions to be injected into the compiled cache
file.
The injected code executes within the PHP process when the cache file is
first loaded, bypassing the Twig sandbox entirely and achieving remote code
execution. SecurityPolicy unconditionally allows {% use %}
regardless of the configured allowedTags, so this primitive is
reachable from sandboxed templates as well.
Resolution
Compiler::string() now also escapes single quotes so that template
names placed inside single-quoted PHP literals can no longer break out of
the surrounding context.
Credits
We would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.