vulnerability

Debian: CVE-2022-23614: php-twig -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Feb 4, 2022	Nov 4, 2022	Aug 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Feb 4, 2022

Added

Nov 4, 2022

Modified

Aug 15, 2025

Description

Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

Solution

debian-upgrade-php-twig

References

CVE-2022-23614
https://attackerkb.com/topics/CVE-2022-23614
CWE-74
CWE-94
DEBIAN-DSA-5107
DEBIAN-DSA-5107-1

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today