CVE-2026-24425: Remote Code Execution via Sandbox Bypass in Twig Template Engine

The Twig template engine, widely used within the Symfony framework and modern PHP ecosystems, includes an optional sandbox mode designed to compile and execute untrusted templates securely. Many production deployments configure dynamic sandboxing using a SourcePolicyInterface. This interface evaluates whether a template must be sandboxed on a per-template basis, separating trusted system layouts from untrusted user-authored templates.

The attack surface is found in multi-tenant web applications, Content Management Systems (CMS), and software-as-a-service (SaaS) environments where untrusted users can submit custom template layouts. Because dynamic templates are marked sandboxed via the policy rather than a global switch, the execution engine must trace and apply isolation policies dynamically across all active contexts.

The vulnerability, identified as CVE-2026-24425, is a protection mechanism failure (CWE-693). When a sandbox is evaluated dynamically, the runtime validation engine fails to propagate the template's source context to specific array filter callback validations. This failure allows standard template authors to execute arbitrary PHP functions outside the sandbox environment.

To prevent remote code execution, Twig strictly limits the callback parameters allowed inside native template filters such as sort, filter, map, reduce, and find. Inside a sandbox environment, these filters must only accept PHP Closure objects (anonymous functions and short arrows) rather than arbitrary string callables. This prevention mechanism is governed by the checkArrow routine within the CoreExtension module.

public static function checkArrow(Environment $env, $arrow, $thing, $type)
{
    if ($arrow instanceof \Closure) {
        return;
    }
 
    if ($env->hasExtension(SandboxExtension::class) && $env->getExtension(SandboxExtension::class)->isSandboxed()) {
        throw new RuntimeError(\sprintf('The callable passed to the "%s" %s must be a Closure in sandbox mode.', $thing, $type));
    }
}

The vulnerability exists because isSandboxed() is invoked without arguments. Calling isSandboxed() on the SandboxExtension without passing a specific template Source object queries the global sandbox state, which returns false under dynamic policy-based sandboxing.

Consequently, the validation check passes silently because the execution environment believes no sandbox is active. The engine then passes the unrestricted string callable directly to the underlying PHP runtime functions (such as uasort or array_map), leading to raw system execution.

The patch addresses the context propagation failure by modifying how the compiler and the extension filters access sandbox state. Filters now request the sandboxed state explicitly by utilizing the needs_is_sandboxed attribute.

In the patched version of src/Extension/CoreExtension.php, the core callback-accepting filters are updated to receive the template's active sandbox status as a boolean argument.

@@ -263,14 +263,14 @@ public function getFilters(): array
             new TwigFilter('join', [self::class, 'join']),
             new TwigFilter('split', [self::class, 'split'], ['needs_charset' => true]),
-            new TwigFilter('sort', [self::class, 'sort'], ['needs_environment' => true]),
+            new TwigFilter('sort', [self::class, 'sort'], ['needs_environment' => true, 'needs_is_sandboxed' => true]),
             new TwigFilter('merge', [self::class, 'merge']),
             new TwigFilter('batch', [self::class, 'batch']),
             new TwigFilter('column', [self::class, 'column']),
-            new TwigFilter('filter', [self::class, 'filter'], ['needs_environment' => true]),
-            new TwigFilter('map', [self::class, 'map'], ['needs_environment' => true]),
-            new TwigFilter('reduce', [self::class, 'reduce'], ['needs_environment' => true]),
-            new TwigFilter('find', [self::class, 'find'], ['needs_environment' => true]),
+            new TwigFilter('filter', [self::class, 'filter'], ['needs_environment' => true, 'needs_is_sandboxed' => true]),
+            new TwigFilter('map', [self::class, 'map'], ['needs_environment' => true, 'needs_is_sandboxed' => true]),
+            new TwigFilter('reduce', [self::class, 'reduce'], ['needs_environment' => true, 'needs_is_sandboxed' => true]),
+            new TwigFilter('find', [self::class, 'find'], ['needs_environment' => true, 'needs_is_sandboxed' => true]),

The internal helper function signature drops its dependency on the Environment object, checking the newly supplied boolean directly.

@@ -2091,13 +2091,13 @@ public static function arrayEvery(Environment $env, $array, $arrow)
-    public static function checkArrow(Environment $env, $arrow, $thing, $type)
+    public static function checkArrow(bool $isSandboxed, $arrow, $thing, $type)
     {
         if ($arrow instanceof \Closure) {
             return;
         }
 
-        if ($env->hasExtension(SandboxExtension::class) && $env->getExtension(SandboxExtension::class)->isSandboxed()) {
+        if ($isSandboxed) {
             throw new RuntimeError(\sprintf('The callable passed to the "%s" %s must be a Closure in sandbox mode.', $thing, $type));
         }

Additionally, legacy compiler pathways recover the calling template's context dynamically by walking the PHP stack trace. The twig_resolve_caller_source routine inspects the trace to ensure the sandbox configuration is robustly recovered and applied.

To exploit this vulnerability, an attacker must have privileges to author, upload, or modify a Twig template rendered under a dynamic SourcePolicyInterface sandbox configuration.

The attacker crafts a template payload containing a callback-accepting filter, such as map, sort, filter, or reduce. Instead of providing a secure anonymous function, the attacker passes a sensitive system callable string (e.g., 'system', 'passthru', 'shell_exec').

{# Attack vector using the map filter to invoke system execution #}
{{ ["id"]|map("system")|join }}

During rendering, the compiler processes this block into PHP. Since the sandbox check is bypassed, the application maps the array containing the command argument ("id") directly to the PHP system() command. The host server executes the command and injects the output of the process into the rendered template context returned to the attacker.

The impact of CVE-2026-24425 is rated high (CVSS 8.8) because it leads directly to Remote Code Execution on the application server. Any host that accepts dynamically sandboxed templates from external users can be completely compromised by an attacker with standard template authoring permissions.

Successful execution grants shell access under the privileges of the web application user (e.g., www-data). Attackers can perform local file read operations, access database configuration strings, write web shells to public directories, or attempt local privilege escalation within containerized hosts.

Because the vulnerability bypasses Twig's sandboxing architecture, it undermines the security assumption of template isolation. Applications that rely on dynamic templates for multi-tenant customer dashboards or dynamic newsletter designs are highly susceptible to data leakage and host compromise.

The primary remediation strategy is upgrading the twig/twig dependency to a secure version. Organizations should audit their dependencies and apply the patch as soon as possible.

composer update twig/twig

If upgrading immediately is not feasible, developers should replace the dynamic SourcePolicyInterface dynamic sandbox architecture with a globally enabled sandbox. Global sandboxing is unaffected by this flaw because the global check evaluates to true, triggering the exception block on non-closure callbacks.

// Global configuration workaround
$policy = new \Twig\Sandbox\SecurityPolicy($allowedTags, $allowedFilters, $allowedMethods, $allowedProperties, $functions);
$sandbox = new \Twig\Extension\SandboxExtension($policy, true); // True enforces global isolation
$twig->addExtension($sandbox);

Furthermore, web application firewalls (WAF) can be configured to filter template input blocks containing array filters combined with string constants. Implement standard security scanning to flag Twig templates containing patterns such as |map(, |sort(, or |filter( followed directly by a single or double-quoted string literal.