Merge pull request #17612 from craftcms/bugfix/twig-ssti

brandonkelly · web-flow · commit e77f8a287dcd · 2025-07-15T09:12:02.000-07:00
Add call_user_func to Twig checkArrowFunction
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 4
 
+## Unreleased
+
+- Fixed an RCE vulnerability.
+
 ## 4.16.4 - 2025-07-08
 
 - Fixed an information disclosure vulnerability.
diff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php
@@ -122,6 +122,7 @@ private static function checkArrowFunction(mixed $arrow, string $thing, string $
                 'file_get_contents',
                 'file_put_contents',
                 'popen',
+                'call_user_func',
             ])
         ) {
             throw new RuntimeError(sprintf('The "%s" %s does not support passing "%s".', $thing, $type, $arrow));
