Twig, Autoescaping Bypass via spaceless filter, CVE(N/A) (Medium)

Listen to this Post

The vulnerability exists because Twig’s `spaceless` filter is registered with the `is_safe => [‘html’]` flag. This flag tells Twig’s auto-escaping mechanism that the filter’s output is already safe for HTML, so the engine does not escape it—even when `autoescape` is enabled and the developer never used |raw. When an attacker can control the input passed to spaceless, they can inject arbitrary HTML/JavaScript tags. For example:

`{% set payload = ‘‘ %}`

`{{ payload }}` → escaped, safe.

`{{ payload|spaceless }}` → unescaped, executes script.

The filter is deprecated but remains functional. Downstream projects like Drupal modules have copied the filter and inherited the unsafe `is_safe` flag.
The fix removes the `is_safe => [‘html’]` flag from spaceless, so its output is now escaped by default. Documentation now warns against applying `spaceless` to unsanitized user input.

dailycve form

Platform: Twig
Version: <2.14.11,<3.3.8
Vulnerability: Autoescaping bypass XSS
Severity: Medium
Date: 2026-05-21

Prediction: Already patched Nov2021

What Undercode Say:

Test if a Twig instance is vulnerable
php -r "echo (version_compare(Twig\Environment::VERSION, '2.14.11', '<') && version_compare(Twig\Environment::VERSION, '3.3.8', '<')) ? 'VULNERABLE' : 'PATCHED';"
Check Drupal modules that duplicated the filter
grep -r "spaceless" modules/custom/ --include=".php" | grep "is_safe"

Exploit:

Attacker supplies `{{ ‘‘|spaceless }}` via any field that passes user input to a Twig template using the `spaceless` filter. The browser executes the JavaScript because the output is not escaped.

Protection from this CVE

Upgrade Twig to `2.14.11+` or 3.3.8+. If patching impossible, avoid applying `spaceless` to user-controlled content. Remove `is_safe => [‘html’]` from any custom copy of the filter in downstream projects.

Impact

Stored or reflected XSS leading to session hijacking, data theft, or defacement in any application that renders attacker-controlled strings through the `spaceless` filter while autoescape is on.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top