Headline
GHSA-v9qv-c7wm-wgmf: Composer has multiple command injections via malicious git/hg branch names
Impact
The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid cloning potentially compromised repositories.
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
GitHub Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Enterprise platform
AI-powered developer platform
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-35242
Composer has multiple command injections via malicious git/hg branch names
High severity GitHub Reviewed Published Jun 10, 2024 in composer/composer • Updated Jun 10, 2024
Package
composer composer/composer (Composer)
Affected versions
>= 2.0, < 2.2.24
>= 2.3, < 2.7.7
Patched versions
2.2.24
2.7.7
Description
Impact
The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid cloning potentially compromised repositories.
References
- GHSA-v9qv-c7wm-wgmf
- composer/composer@6bd43df
- composer/composer@fc57b93
Published to the GitHub Advisory Database
Jun 10, 2024
Last updated
Jun 10, 2024
Related news
Debian Linux Security Advisory 5715-1 - Two vulnerabilities have been discovered in Composer, a dependency manager for PHP, which could result in arbitrary command execution by operating on malicious git/hg repositories.