Threat Advisory

Composer Vulnerability Allows Command Injection

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Composer, a popular package manager for PHP, affecting versions 2.3.0 to 2.9.6 and 2.0.0 to 2.2.27. These vulnerabilities are of a command injection type, where an attacker can inject arbitrary commands through user-supplied Perforce connection parameters or repository metadata. This can lead to command execution in the context of the user running Composer, posing a significant risk to users who run Composer commands on untrusted projects or install dependencies from compromised or malicious repositories. The business risk is substantial, as attackers can potentially execute arbitrary commands on users' systems, leading to data theft, system compromise, or other malicious activities.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Composer, a popular package manager for PHP, affecting versions 2.3.0 to 2.9.6 and 2.0.0 to 2.2.27. These vulnerabilities are of a command injection type, where an attacker can inject arbitrary commands through user-supplied Perforce connection parameters or repository metadata. This can lead to command execution in the context of the user running Composer, posing a significant risk to users who run Composer commands on untrusted projects or install dependencies from compromised or malicious repositories. The business risk is substantial, as attackers can potentially execute arbitrary commands on users' systems, leading to data theft, system compromise, or other malicious activities.[emaillocker id="1283"]

  • CVE-2026-40176 with a CVSS score of 7.8 - This vulnerability occurs when an attacker controls a repository configuration in a malicious composer.json declaring a Perforce VCS repository, which can inject arbitrary commands through user-supplied Perforce connection parameters. The attacker can execute arbitrary commands in the context of the user running Composer, even if Perforce is not installed.
  • CVE-2026-40261 with a CVSS score of 8.8 - This vulnerability occurs when an attacker provides a crafted source reference containing shell metacharacters, allowing the injection of arbitrary commands through the Perforce::syncCodeBase() method. The attacker can also exploit the Perforce::generateP4Command() method by providing a malicious source url field, allowing the execution of arbitrary commands in the context of the user running Composer.

The overall risk and urgency of this vulnerability are high, as it can be exploited through various means, including compromised or malicious repositories. If exploited, the business consequences can be severe, including data theft, system compromise, or other malicious activities.

RECOMMENDATION:

We recommend you to update Composer to version 2.2.27.

REFERENCES:

The following
reports contain further technical details:
https://github.com/advisories/GHSA-wg36-wvj6-r67p
https://github.com/advisories/GHSA-gqw4-4w2p-838q

[/emaillocker]
crossmenu