{"id":"CVE-2019-9942","details":"A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.","aliases":["GHSA-vxrc-68xx-x48g"],"modified":"2026-04-10T04:21:02.845389Z","published":"2019-03-23T15:29:00.323Z","references":[{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Mar/60"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4419"},{"type":"FIX","url":"https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077"},{"type":"FIX","url":"https://symfony.com/blog/twig-sandbox-information-disclosure"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/twigphp/twig","events":[{"introduced":"0"},{"fixed":"754b8dfc0026585eb8498ec4bf5ff240b6b34db7"},{"introduced":"2a86dde1288d7270169083d0e078dc7ebe0f48b6"},{"fixed":"57bd838bb7a9368ecf8b19bbe9788090502d1615"},{"fixed":"eac5422956e1dcca89a3669a03a3ff32f0502077"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.38.0"},{"introduced":"2.0.0"},{"fixed":"2.7.0"}]}}],"versions":["v0.9.0","v0.9.1","v0.9.10","v0.9.2","v0.9.4","v0.9.5","v0.9.6","v0.9.7","v0.9.8","v0.9.9","v1.0.0","v1.0.0-RC1","v1.0.0-RC2","v1.1.0","v1.1.0-RC1","v1.1.0-RC2","v1.1.0-RC3","v1.1.1","v1.1.2","v1.10.0","v1.10.1","v1.10.2","v1.10.3","v1.11.0","v1.11.1","v1.12.0","v1.12.0-RC1","v1.12.1","v1.12.2","v1.12.3","v1.13.0","v1.13.1","v1.13.2","v1.14.0","v1.14.1","v1.14.2","v1.15.0","v1.15.1","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.17.0","v1.18.0","v1.18.1","v1.18.2","v1.19.0","v1.2.0","v1.2.0-RC1","v1.20.0","v1.21.0","v1.21.1","v1.21.2","v1.22.0","v1.22.1","v1.22.2","v1.22.3","v1.23.0","v1.23.1","v1.23.2","v1.23.3","v1.24.0","v1.24.1","v1.24.2","v1.25.0","v1.26.0","v1.26.1","v1.27.0","v1.28.0","v1.28.1","v1.28.2","v1.29.0","v1.3.0","v1.3.0-RC1","v1.30.0","v1.31.0","v1.32.0","v1.33.0","v1.33.1","v1.33.2","v1.34.0","v1.34.1","v1.34.2","v1.34.3","v1.34.4","v1.35.0","v1.35.1","v1.35.2","v1.35.3","v1.35.4","v1.36.0","v1.37.0","v1.37.1","v1.4.0","v1.4.0-RC1","v1.4.0-RC2","v1.5.0","v1.5.0-RC1","v1.5.0-RC2","v1.5.1","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.7.0","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.9.0","v1.9.1","v1.9.2","v2.0.0","v2.1.0","v2.2.0","v2.3.0","v2.3.1","v2.3.2","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.5.0","v2.6.0","v2.6.1","v2.6.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9942.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}