Skip to main content

twig/intl-extra CVE-2026-46629

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-21 https://github.com/twigphp/Twig GHSA-35wc-cvqg-78fp
5.3
CVSS 4.0 · Vendor: https://github.com/twigphp/Twig
Share

Severity by source

Vendor (https://github.com/twigphp/Twig) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/twigphp/Twig) · only source for this CVE.

CVSS VectorVendor: https://github.com/twigphp/Twig

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 22:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
May 21, 2026 - 22:02 vuln.today
Analysis Generated
May 21, 2026 - 22:02 vuln.today

DescriptionCVE.org

Description

IntlExtension memoises every \IntlDateFormatter and \NumberFormatter it creates in instance-level arrays keyed on a hash that includes locale, pattern, attrs and other values that are ordinary named arguments of the format_datetime / format_date / format_time / format_number / format_currency filters. There is no size limit and no eviction.

A template that iterates over many distinct pattern (or locale, or grouping_used, ...) values therefore allocates one ICU formatter object per distinct value and pins it for the entire lifetime of the Twig\Environment. Because ICU allocates its backing buffers outside the Zend memory manager, this growth is not bounded by memory_limit. On long-running runtimes (RoadRunner, Swoole, FrankenPHP worker mode, ReactPHP) where the Environment outlives a single request, the cache also accumulates across requests.

Resolution

The formatter caches are now bounded in size (100 entries each) and evict on a FIFO basis.

Credits

Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

Unbounded formatter memoization in twig/intl-extra versions prior to 3.26.0 enables memory exhaustion denial of service on persistent PHP worker runtimes. The IntlExtension caches every unique combination of template filter arguments (locale, pattern, grouping_used, attrs, etc.) as ICU formatter objects with no eviction policy; because ICU allocates its backing buffers outside the Zend memory manager, this growth entirely bypasses PHP's memory_limit directive. On long-running runtimes such as RoadRunner, Swoole, FrankenPHP worker mode, and ReactPHP - where a single Twig\Environment persists across requests - the cache accumulates indefinitely across all requests, making targeted or incidental denial of service achievable without any authentication. No public exploit has been identified at time of analysis and no CISA KEV listing exists.

Technical ContextAI

twig/intl-extra is a Composer package (pkg:composer/twig/intl-extra) that provides Twig template filters for PHP internationalization: format_datetime, format_date, format_time, format_number, and format_currency. Internally, IntlExtension constructs PHP \IntlDateFormatter and \NumberFormatter objects (wrappers around the ICU library) and memoizes them in instance-level arrays keyed by a hash of the filter arguments. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the cache has no maximum size and no eviction mechanism. The critical amplifying factor is that ICU (International Components for Unicode) allocates its internal buffers on the native heap via the Zend extension mechanism, completely outside the Zend memory manager's accounting. This means PHP's memory_limit INI directive does not constrain the growth - the process's OS-level RSS can grow without bound while PHP reports no memory limit violation. The vulnerability is exclusively architectural; there is no memory corruption or logic flaw in the ICU library itself.

RemediationAI

Upgrade twig/intl-extra to version 3.26.0 or later, which is the vendor-released patch confirmed in GHSA-35wc-cvqg-78fp. The fix introduces bounded FIFO caches capped at 100 entries each for both IntlDateFormatter and NumberFormatter objects, preventing unbounded heap growth. Execute composer require 'twig/intl-extra:^3.26.0' and redeploy. If an immediate upgrade is not possible, the most actionable compensating control is to audit and restrict whether user-supplied input can flow into the locale, pattern, grouping_used, or attrs arguments of Twig intl filters - eliminating attacker-controlled cache key diversity dramatically limits the practical impact, though it does not fix the underlying unbounded allocation. A secondary mitigation for persistent worker deployments is to configure scheduled worker restarts (e.g., RoadRunner's max_jobs setting to restart workers after N requests), which reclaims accumulated memory but introduces brief request interruption and does not prevent re-accumulation during each worker lifetime. See vendor advisory at https://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp.

Share

CVE-2026-46629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy