Arbitrary Code Execution Vulnerability in Composer Affects PHP Developers
CVE-2024-24821

8.8HIGH

Key Information:

Vendor: Composer
Status: Composer
Vendor: CVE Published:; 9 February 2024

What is CVE-2024-24821?

The Composer Dependency Manager is susceptible to a vulnerability where, in certain versions, files within the local working directory may be included during execution by the Composer CLI. This situation can lead to arbitrary code execution, enabling local privilege escalation and potential lateral moves within user environments. The risk is particularly pronounced in scenarios such as executing Composer with sudo privileges, running Composer in CI/CD pipelines with untrusted projects, or in shared environments. These conditions can result in malicious code execution if Composer is invoked in directories containing tampered files. Versions 2.7.0 and 2.2.23 have addressed this vulnerability. Recommended mitigation steps include the removal of sudo access for Composer, running Composer in trusted directories, and verifying the integrity of key files before executing Composer commands.

Affected Version(s)

composer >= 2.0, < 2.2.23 < 2.0, 2.2.23

composer >= 2.3, < 2.7 < 2.3, 2.7

References

https://github.com/composer/composer/security/advisories/...

x_refsource_CONFIRM

https://github.com/composer/composer/commit/64e4eb356b159...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2024

CVE-2024-24821 Data

JSON