CVE-2025-24374 — Twig security issue where escaping was missing when using null coalesce operator

Description

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

How to fix CVE-2025-24374

To remediate CVE-2025-24374, upgrade the affected package to a fixed version below.

Debian/php-twig—no fix listed
—upgrade to 3.19.0 or later

Is CVE-2025-24374 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 3.16.0, < 3.19.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-24374
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-24374
PATCHgithub.com/twigphp/Twig
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml