Description
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability
Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer
Vendor Advisory x_refsource_confirm
https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
Patch x_refsource_misc
https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
Scores
CVSS v3
8.8
EPSS
0.0043
EPSS Percentile
62.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (3)
composer/composer
2.0 - 2.2.24Packagist
composer/composer
>= 2.0, < 2.2.24
composer/composer
>= 2.3, < 2.7.7
Published
Jun 10, 2024
Tracked Since
Feb 18, 2026