Search for packages
| purl | pkg:composer/composer/composer@2.5.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1cgx-psut-e3hh
Aliases: CVE-2025-67746 GHSA-59pp-r3rg-353g |
Composer is vulnerable to ANSI sequence injection Attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but Composer still published a CVE as it has potential for abuse, and Composer wants to be on the safe side informing users that they should upgrade. |
Affected by 2 other vulnerabilities. |
|
VCID-4pb1-p6st-4kg4
Aliases: CVE-2024-24821 GHSA-7c6p-848j-wh5h |
Inclusion of Functionality from Untrusted Control Sphere Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins ``` |
Affected by 5 other vulnerabilities. |
|
VCID-8pap-8xmr-m3ha
Aliases: CVE-2026-40176 GHSA-wg36-wvj6-r67p |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-fzya-vz4m-5yhu
Aliases: CVE-2023-43655 GHSA-jm6m-4632-36hf |
Composer Remote Code Execution vulnerability via web-accessible composer.phar Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini. |
Affected by 6 other vulnerabilities. |
|
VCID-kpnb-b563-1yft
Aliases: CVE-2026-40261 GHSA-gqw4-4w2p-838q |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-vy1p-sn17-uybt
Aliases: CVE-2024-35241 GHSA-47f6-5gq3-vx9c |
Affected by 3 other vulnerabilities. |
|
|
VCID-ww6j-dye5-7uac
Aliases: CVE-2024-35242 GHSA-v9qv-c7wm-wgmf |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||