SymfonyWorld Online 2021 Winter Edition December 9 – 10, 2021 100% Online 25 talks and 10 workshops

Security Release: Twig 1.20.0

I've just released Twig 1.20.0 which contains a security vulnerability fix for Twig's Sandbox mode.


Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode.

End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.

Affected Versions

All versions of Twig are affected.

How to Patch

If you cannot upgrade, you can apply the patches provided in the dedicated pull request.


I want to thank James Kettle who was the first to report a RCE security issue, Alain Tiemblo, Christophe Coevoet, and Fabien Potencier for finding more possible and dangerous RCEs.

Thank you Christophe Coevoet, Tugdual Saunier, and Fabien Potencier for providing the fixes for the various attack vectors.

Check your Project

As a quick remember, you can check your projects using Composer for vulnerability issues with the SensioLabs Security Checker.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.