Composer, Twig and Concrete CMS 9.5.2

The timing of these disclosures landed immediately after our Concrete CMS 9.5.1 release. In addition to the normal concern that comes with upstream security advisories, this had an immediate practical impact for Concrete CMS users installing via Composer.

Recent versions of Composer now include built-in security auditing. As soon as the Symfony advisories were published, Composer began flagging our dependency tree during installation. This caused issues for standard installations using:

composer create-project concretecms/composer myproject

To address this, we’ve released Concrete CMS 9.5.2 with updated dependencies. This release patches twig in several cases, and also restores normal Composer installation behavior.

PHP Versions and Dependency Security Updates

If you are running Concrete CMS with Composer on PHP 8.2 or greater, you will receive all the current upstream Symfony and Twig security updates directly. That is the ideal and recommended configuration moving forward.

However, Concrete CMS still supports older PHP versions in the 9.5 series, including PHP 7.3, 8.0 and 8.1. Those environments cannot move to the latest Twig releases because newer Twig versions require newer PHP runtimes.

For those installations, the highest compatible Twig version is currently 3.11.3, which ships with Concrete CMS 9.5.1 and still ships with 9.5.2.

However, in 9.5.2, we have implemented our own custom patches in order to continue protecting users on older PHP versions. We could not cleanly backport every single upstream Twig security change since some of Symfony’s newer sandbox-related fixes depend on architectural changes that occurred after Twig 3.11. Those changes don’t apply cleanly to the older codebase, and attempting to force them in would introduce unnecessary instability into supported Concrete CMS installations.

The patches we have backported are for the most critical issues. These are delivered via our Composer dependency-patches project. If you install Concrete via the regular standalone install or remote update, you’ll get these dependency patches automatically in 9.5.2. For composer based installation, upgrading to 9.5.2 and/or simply updating your dependencies via composer update should be enough to apply these patches (or update Symfony, in which case the patches are unnecessary.)

Issues in the Twig Sandbox

Thankfully, the remaining Twig vulnerabilities that we cannot fully backport are limited to Twig’s sandbox mode. This mode allows for untrusted Twig to be evaluated in a safe manner. This is not functionality exposed or used by standard Concrete CMS installations. Concrete CMS does not use Twig sandbox mode internally; enabling it requires custom application-level development work in the first place. If you’re using this functionality in a custom package or application, you should heavily consider employing a Composer-based installation with a version of twig/twig that’s 3.23 or greater.

So while Composer security auditing may still report certain upstream Twig advisories on older PHP environments, the practical exposure for a standard Concrete CMS installation is extremely limited.

To summarize:

• PHP 8.2+ with Composer installs receive the complete upstream Symfony and Twig security updates.
• PHP 7.3 / 8.0 / 8.1 installations receive Concrete CMS backported fixes wherever technically possible.
• The remaining unpatched upstream Twig advisories affect Twig sandbox mode only.
• Concrete CMS does not use Twig sandbox mode.
• Exploiting these remaining issues would require custom code explicitly enabling and exposing sandbox functionality.

As always, we strongly recommend keeping both Concrete CMS and PHP versions up to date whenever possible.