Search for packages
| purl | pkg:composer/composer/composer@2.0.0-alpha1 |
| Next non-vulnerable version | 2.2.27 |
| Latest non-vulnerable version | 2.10.0-RC1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1sk6-xbn9-q7es
Aliases: CVE-2026-40176 GHSA-wg36-wvj6-r67p |
composer: command injection via malicious Perforce repository definition |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2pwj-7xfy-zkh3
Aliases: CVE-2024-24821 GHSA-7c6p-848j-wh5h |
Inclusion of Functionality from Untrusted Control Sphere Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins ``` |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-5ccv-kq34-9kf2
Aliases: CVE-2021-41116 GHSA-frqg-7g38-6gcf |
arbitrary command execution |
Affected by 8 other vulnerabilities. |
|
VCID-m72z-wq6e-6qg3
Aliases: CVE-2021-29472 GHSA-h5h8-pc6h-jvvx |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue. |
Affected by 9 other vulnerabilities. |
|
VCID-q7kj-g74r-s7ec
Aliases: CVE-2026-40261 GHSA-gqw4-4w2p-838q |
composer: command injection via malicious Perforce source reference/url |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||