CVE-2022-39261
Published: 28 September 2022
Summary
CVE-2022-39261 is a high-severity Path Traversal (CWE-22) vulnerability in Symfony Twig. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Twig is a template engine for PHP whose filesystem loader is vulnerable to path traversal in versions 1.x before 1.44.7, 2.x before 2.15.3, and 3.x before 3.4.3. When a template name supplied as user input is resolved through a namespace reference, the loader fails to enforce directory restrictions, allowing statements such as source or include to reference files outside the intended template root via sequences like @somewhere/../some.file. The flaw is classified as CWE-22 with a CVSS 3.1 score of 7.5 reflecting network-reachable confidentiality impact without authentication.
An unauthenticated remote attacker who can control template names passed to the filesystem loader can read arbitrary files on the server filesystem. Successful exploitation requires only that the application uses Twig’s namespace-based loading with untrusted input; no other privileges or user interaction are needed.
The GitHub security advisory and accompanying commit, along with distribution lists from Debian and Fedora, state that the only remediation is to upgrade to Twig 1.44.7, 2.15.3, or 3.4.3; no configuration workarounds are documented. The EPSS score has remained flat at 0.0950 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6700
Vulnerability details
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is…
more
possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.