Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-3838-1 | composer security update |
![]() |
DSA-5715-1 | composer security update |
![]() |
GHSA-v9qv-c7wm-wgmf | Composer has multiple command injections via malicious git/hg branch names |
![]() |
USN-7603-1 | Composer vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 13 Feb 2025 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. |

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-02-13T17:52:34.786Z
Reserved: 2024-05-14T15:39:41.786Z
Link: CVE-2024-35242

Updated: 2024-08-02T03:07:46.921Z

Status : Awaiting Analysis
Published: 2024-06-10T22:15:09.893
Modified: 2025-02-13T18:18:05.910
Link: CVE-2024-35242

No data.

No data.