Composer Security Vulnerabilities and Issues — Composer CVE List

Lucene search

GetcomposerComposer

8 matches found

CVE•added 2021/04/27 9:15 p.m.•277 views

CVE-2021-29472

Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Compo...

8.8CVSS9AI score0.03867EPSS

CVE•added 2024/06/10 10:15 p.m.•225 views

CVE-2024-35241

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are a...

8.8CVSS8.8AI score0.00317EPSS

CVE•added 2024/06/10 10:15 p.m.•217 views

CVE-2024-35242

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available...

8.8CVSS8.8AI score0.18969EPSS

CVE•added 2022/04/13 9:15 p.m.•157 views

CVE-2022-24828

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call VcsDriver::getFileContent can have a code injection vulnerability if the user can control the $file or $identifier argument. This leads to a vulnerability on packagist.org for example where th...

8.8CVSS8.7AI score0.00216EPSS

CVE•added 2023/09/29 8:15 p.m.•134 views

CVE-2023-43655

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has register_argc_argv enabled in php.ini. Versions 2.6.4, 2.2.22 an...

8.8CVSS7.8AI score0.02804EPSS

CVE•added 2021/10/05 6:15 p.m.•113 views

CVE-2021-41116

Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in co...

9.8CVSS9.2AI score0.00828EPSS

CVE•added 2024/02/09 12:15 a.m.•77 views

CVE-2024-24821

Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privileg...

8.8CVSS7.8AI score0.00106EPSS

CVE•added 2023/09/21 6:15 a.m.•39 views

CVE-2015-8371

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist ty...

8.8CVSS8.6AI score0.00716EPSS