I’ve just released Twig 1.12.3 which contains a security vulnerability fix.
Your application is affected if you are using
loading Twig templates but only if you are using non-trusted template names
(names provided by a end-user for instance).
When affected, it is possible to go up one directory for the paths configured in your loader.
For instance, if the filesystem loader is configured with
as a path to look for templates, you can force Twig to include a file stored
/path/to by prepending the path with
/../ like in
Note that using anything else (like
../../somefile) won’t work and you will get a proper exception.
All versions of Twig are affected.
How to Patch
If you cannot upgrade, you can apply the following patch:
I want to thank Rick Prent who reported the issue and provided a fix for it.
Check your Project
As a quick remember, you can check your projects using Composer for vulnerability issues with the SensioLabs Security Checker.