Contrib.social

security advisory - cve-2025-24374

Open on Drupal.org β†’
Created on 4 February 2025, about 23 hours ago

Problem/Motivation

Updating Leaflet to 10.2.36 on Drupal 10.4.1 I received the notice from composer:
Found 1 security vulnerability advisory affecting 1 package.
Run "composer audit" for a full list of advisories.
I ran the suggested command and got this message:
Found 1 security vulnerability advisory affecting 1 package:

+-------------------+----------------------------------------------------------------------------------+
| Package | twig/twig |
| Severity | medium |
| CVE | CVE-2025-24374 |
| Title | Missing output escaping for the null coalesce operator |
| URL | https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for... |
| | l-coalesce-operator |
| Affected versions | >=3.16.0,<3.19.0 |
| Reported at | 2025-01-29T06:52:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+

Is this a situation that needs attention and if so what needs to be done?

Steps to reproduce

See above

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ’¬ Support request
Status

Active

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States jcory

Live updates comments and jobs are added and updated live.
  • Security Advisory follow-up

    This tag is to be applied to issues where an official security release has been made, but the fix needs to be ported to the development version of the code.

Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024