Affected Versions
Twig >1.0.0,<=1.44.7 || >2.0.0,<=2.16.0 || >3.0.0,<=3.11.0 || >=3.12.0,<3.14.0 versions are affected by this security issue.
Even if twig 1.x and 2.x are not maintained anymore, we've released new versions with the security fix.
This issue has been fixed in Twig 1.44.8, 2.16.1, and 3.14.0.
Description
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met: