Description The object-destructuring assignment syntax introduced in Twig 3.24.0 generates a call to "CoreExtension::getAttribute()" with the "$sandboxed" argument hardcoded to "false", regardless of whether a "SandboxExtension" is active. This permanently disables the sandbox's property and method policy checks for every destructuring expression. "ObjectDestructuringSetBinary::compile()" emits: CoreExtension::getAttribute($this->env, $this->source, ..., \Twig\Template::ANY_CALL, false, false, false, ...); // ^^^^^ // sandbox check never runs Whereas "GetAttrExpression::compile()" correctly passes "$env->hasExtension(SandboxExtension::class)". An attacker with write access to a sandboxed Twig template can read any public property or invoke any public getter on objects passed to the template engine, bypassing "SecurityPolicy" restrictions. The exploit requires only the "{% do %}" tag to be in "allowedTags", which is a common configuration. Resolution The destructuring compiler now forwards the active sandbox flag to "getAttribute()" so property/method allowlists are enforced. Credits Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting and fixing the issue.