twig/intl-extra CVE-2026-46629

Description

IntlExtension memoises every \IntlDateFormatter and \NumberFormatter it creates in instance-level arrays keyed on a hash that includes locale, pattern, attrs and other values that are ordinary named arguments of the format_datetime / format_date / format_time / format_number / format_currency filters. There is no size limit and no eviction.

A template that iterates over many distinct pattern (or locale, or grouping_used, ...) values therefore allocates one ICU formatter object per distinct value and pins it for the entire lifetime of the Twig\Environment. Because ICU allocates its backing buffers outside the Zend memory manager, this growth is not bounded by memory_limit. On long-running runtimes (RoadRunner, Swoole, FrankenPHP worker mode, ReactPHP) where the Environment outlives a single request, the cache also accumulates across requests.

Resolution

The formatter caches are now bounded in size (100 entries each) and evict on a FIFO basis.

Credits

Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.