CVE-2022-23614
📋 TL;DR
CVE-2022-23614 is a code injection vulnerability in Twig's sandbox mode that allows attackers to execute arbitrary PHP functions when using the sort filter with a non-closure arrow parameter. This affects PHP applications using Twig templates with sandbox mode enabled. The vulnerability could lead to remote code execution on affected systems.
💻 Affected Systems
- Twig (PHP template engine)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Twig by Symfony
Twig by Symfony
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Arbitrary PHP code execution allowing attackers to read sensitive files, modify application behavior, or establish persistence.
If Mitigated
Limited impact if sandbox mode is disabled or proper input validation prevents malicious payloads from reaching the vulnerable filter.
🎯 Exploit Status
Exploitation requires access to template rendering with user-controlled input in sandbox mode. Public proof-of-concept code is available in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Twig 3.3.8 and 2.15.3
Vendor Advisory: https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
Restart Required: No
Instructions:
1. Update Twig via Composer: 'composer require twig/twig:^3.3.8' or 'composer require twig/twig:^2.15.3'. 2. Verify the update with 'composer show twig/twig'. 3. Clear any template caches if applicable.
🔧 Temporary Workarounds
Disable sandbox mode
allTemporarily disable Twig sandbox mode if not required, though this reduces security for other threats.
Input validation for sort filter
allValidate and sanitize all user input passed to the sort filter's arrow parameter.
🧯 If You Can't Patch
- Implement strict input validation for all template variables, especially those used with the sort filter.
- Use web application firewalls (WAF) to block suspicious patterns and restrict access to vulnerable endpoints.
🔍 How to Verify
Check if Vulnerable:
Check Twig version via Composer: 'composer show twig/twig | grep version'. If version is below 3.3.8 (for v3) or 2.15.3 (for v2), and sandbox mode is enabled, the system is vulnerable.Check Version:
composer show twig/twig | grep versionVerify Fix Applied:
After updating, verify version is 3.3.8+ or 2.15.3+ with 'composer show twig/twig'. Test template rendering with controlled inputs to ensure no code execution occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP function calls in template rendering logs
- Errors related to sort filter parameter validation
- Unexpected process execution from web server context
Network Indicators:
- HTTP requests with malicious payloads targeting template endpoints
- Outbound connections from web server to suspicious IPs
SIEM Query:
source="web_logs" AND (uri="*twig*" OR uri="*template*") AND (message="*sort*" OR message="*arrow*") AND status=200🔗 References
- https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
- https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5
- https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/
- https://www.debian.org/security/2022/dsa-5107
- https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
- https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5
- https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/
- https://www.debian.org/security/2022/dsa-5107
