You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Composer has a command injection via malicious git branch name
High severity
GitHub Reviewed
Published
Jun 10, 2024
in
composer/composer
•
Updated Jun 20, 2024
The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.
Impact
The
status
,reinstall
andremove
commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using
--prefer-dist
or thepreferred-install: dist
config setting.References