Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3838-1 composer security update
Debian DSA Debian DSA DSA-5715-1 composer security update
EUVD EUVD EUVD-2024-1909 Composer has a command injection via malicious git branch name
Github GHSA Github GHSA GHSA-47f6-5gq3-vx9c Composer has a command injection via malicious git branch name
Ubuntu USN Ubuntu USN USN-7603-1 Composer vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 21 Apr 2025 16:45:00 +0000


Thu, 13 Feb 2025 18:00:00 +0000

Type Values Removed Values Added
Description Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-04-21T15:20:35.089Z

Reserved: 2024-05-14T15:39:41.786Z

Link: CVE-2024-35241

cve-icon Vulnrichment

Updated: 2025-04-21T15:20:35.089Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-06-10T22:15:09.677

Modified: 2025-04-21T16:15:54.053

Link: CVE-2024-35241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.