CVE-2024-35242

HIGH

Composer < 2.2.24 - Command Injection

Title source: rule

Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Exploits (1)

nomisec STUB

by KKkai0315 · poc

https://github.com/KKkai0315/CVE-2024-35242

View Code ZIP pw:eip

References (5)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

[Patch] https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396

[Patch] https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467

[Vendor Advisory] https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf

Scores

CVSS v3 8.8

EPSS 0.2379

EPSS Percentile 96.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (3)

composer/composer 2.0 - 2.2.24Packagist

composer/composer >= 2.0, < 2.2.24

composer/composer >= 2.3, < 2.7.7

Published Jun 10, 2024

Tracked Since Feb 18, 2026