Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-3838-1 | composer security update |
![]() |
DSA-5715-1 | composer security update |
![]() |
EUVD-2024-1909 | Composer has a command injection via malicious git branch name |
![]() |
GHSA-47f6-5gq3-vx9c | Composer has a command injection via malicious git branch name |
![]() |
USN-7603-1 | Composer vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 21 Apr 2025 16:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 13 Feb 2025 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. |

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-04-21T15:20:35.089Z
Reserved: 2024-05-14T15:39:41.786Z
Link: CVE-2024-35241

Updated: 2025-04-21T15:20:35.089Z

Status : Awaiting Analysis
Published: 2024-06-10T22:15:09.677
Modified: 2025-04-21T16:15:54.053
Link: CVE-2024-35241

No data.

No data.