Critical Security Flaws Discovered in Popular PHP Package Manager

Composer, the widely-used PHP dependency manager, has issued urgent security updates to address two critical vulnerabilities that could allow attackers to execute malicious code on affected systems. Developers are strongly urged to update to the latest versions (2.7.7 for PHP 7.2+ and 2.2.24 for PHP 5.3 to 7.1) immediately.

The vulnerabilities, tracked as CVE-2024-35241 and CVE-2024-35242, both involve command injection attacks through malicious git/hg branch names. These flaws could allow attackers to gain control of systems that have installed Composer packages from source (git clone) or are running Composer within a checked-out git/hg repository with specially crafted branch names.

CVE-2024-35241: Status, Reinstall, and Remove Commands Vulnerable

The first vulnerability, discovered by Martin Haunschmid, affects Composer’s status, reinstall, and remove commands. An attacker could exploit this flaw by inserting malicious code into the branch name of a package installed from source. While popular repositories like Packagist.org are not vulnerable to remote code execution, users who install packages from untrusted sources could be at risk.

CVE-2024-35242: Multiple Command Injections in Git/Hg Repositories

The second vulnerability, identified by Maciej Piechota (haqpl), affects Composer’s ability to determine the currently checked-out version when running within a git/hg repository. Specially crafted branch names could trigger command injection attacks, although this flaw is not exploitable through installed dependencies.

Mitigating the Threat: Update Composer Now!

The Composer team has released patched versions that address these vulnerabilities and include additional security hardening measures. Users are advised to update their Composer installations as soon as possible to protect their systems and data.