CVE-2024-35242

HIGH

Composer 2.0-2.2.23 and 2.3-2.7.6 - Command Injection via Crafted Git/Hg Branch Names

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-35242. PoCs published by KKkai0315.

AI-analyzed exploit summary The repository contains only a minimal README with no technical details or exploit code. It is a placeholder with no substantive content.

Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Exploits (1)

nomisec STUB
by KKkai0315 · poc
https://github.com/KKkai0315/CVE-2024-35242

The repository contains only a minimal README with no technical details or exploit code. It is a placeholder with no substantive content.

Classification
Stub 100%
Attack Type
Other
Complexity
Unknown
Reliability
Unknown
Target: unknown
Auth required
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.2379
EPSS Percentile 96.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (3)
composer/composer 2.0 - 2.2.24Packagist
composer/composer >= 2.0, < 2.2.24
composer/composer >= 2.3, < 2.7.7
Published Jun 10, 2024
Tracked Since Feb 18, 2026