Skip to content

Remote Code Execution via web-accessible composer.phar

Low
Seldaek published GHSA-jm6m-4632-36hf Sep 29, 2023

Package

composer composer/composer (Composer)

Affected versions

<1.10.27 || >=2.0,<2.2.21 || >=2.3,<2.6.4

Patched versions

2.6.4, 2.2.21, 1.10.27

Description

Impact

Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Patches

2.6.4, 2.2.21 and 1.10.27 patch this vulnerability.

Workarounds

Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

Severity

Low

CVE ID

CVE-2023-43655

Weaknesses

No CWEs

Credits