symfony/twig-bridge is vulnerable to Deserialization of Untrusted Data
59
Medium Risk
The TemplatedEmail and NotificationEmail classes restore typed string properties (such as htmlTemplate, textTemplate, locale, and theme) directly from the raw array passed to __unserialize(). When an attacker-controlled serialized payload places a \Stringable object into one of those string slots, PHP coerces it through __toString() before any validation runs, firing the gadget during unserialization. An application that deserializes untrusted data into these classes can therefore trigger attacker-chosen __toString() logic. The fix rejects \Stringable values in the raw data before any typed-string assignment and throws an exception.
You are affected if you are using a version that falls within the vulnerable range and your application deserializes untrusted data into the TemplatedEmail or NotificationEmail classes.
symfony/twig-bridge is vulnerable to Deserialization of Untrusted Data in versions 6.0.0 - 6.4.40, 7.0.0 - 7.4.12, 8.0.0 - 8.0.12 and 8.1.0 - 8.1.0.
Upgrade the symfony/twig-bridge and/or the symfony/symfony library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant