Twig Template Engine: Single Quote Escape Bypass in PHP Code Generation
A missing single-quote escape in Twig's Compiler::string() method allows attackers to break out of PHP string literals via malicious {% use %} template names, achieving unauthenticated remote code execution even in sandboxed environments.
CVE References
Affected
Vulnerability Description
The vulnerability exists in Twig's PHP code generation logic. The Compiler::string() method escapes double quotes, backslashes, dollar signs, NUL and TAB characters when constructing PHP double-quoted string literals, but critically omits single quote escaping. When ModuleNode::compileConstructor() processes {% use %} template directives, it embeds the template name (user-controlled input) into a surrounding PHP single-quoted string literal. An attacker-controlled template name containing single quotes can terminate the string context prematurely, injecting arbitrary PHP expressions into the compiled template cache file. This transforms a templating vulnerability into direct PHP code execution.
Proof-of-Concept Significance
The PoC demonstrates end-to-end sandbox escape: malicious template names bypass Twig's SecurityPolicy (which unconditionally permits {% use %} tags regardless of allowedTags configuration), execute during cache file compilation rather than template rendering, and achieve code execution before sandbox restrictions apply. The vulnerability is highly reliable because it exploits a deterministic string-escaping logic flaw. No special preconditions exist—any application accepting untrusted template file paths or names is vulnerable.
Detection Guidance
Cache File Analysis: Monitor compiled Twig cache directories for anomalous PHP syntax or unexpected function calls in cache files. Look for single-quote characters within template names in compiled ModuleNode::compileConstructor() output. Log Indicators: Detect unusual file write patterns to cache directories or cache file modification timestamps that predate application deployment. Runtime Monitoring: Hook PHP's eval()/assert() equivalents to capture injected code execution. YARA Rule Concept: Scan compiled cache files for patterns like ' followed by PHP keywords (eval, system, exec, passthru) outside expected control structures.
Mitigation Steps
Immediate: Apply the security patch updating Compiler::string() to escape single quotes in PHP string literals. Temporary Workaround: Restrict template file paths to allowlisted, sanitized directories; validate template names against strict whitelist patterns (alphanumeric + underscore only). Disable {% use %} directives via custom SecurityPolicy if business logic permits. Cache Security: Implement strict filesystem permissions on cache directories (0700), preventing unauthorized file writes. Regenerate all compiled template caches after patching. Deployment: Use read-only compiled cache in production; prevent dynamic template compilation.
Risk Assessment
This is a critical exploit vector with high likelihood of wild exploitation. The vulnerability affects all Twig versions prior to the patch, impacts both standard and sandboxed environments, requires no authentication, and guarantees remote code execution. Organizations using Twig with user-supplied or dynamically-resolved template names are at extreme risk. Threat actors interested in PHP applications, supply-chain attacks (via template injection in dependencies), and sandbox escape research will actively target this. Organizations should treat this as urgent priority-zero patching.
Sources