Command Line Injection Vulnerability in Composer Dependency Manager
CVE-2025-67746

1.3LOW

Key Information:

Vendor

Composer

Status
Composer
Vendor
CVE Published:
30 December 2025

What is CVE-2025-67746?

Composer, a widely-used dependency manager for PHP, has a vulnerability that allows attackers controlling remote sources to inject ANSI control characters into the terminal output. This can lead to unpredictable behavior, causing confusion or potential denial of service to terminal applications. Users are encouraged to upgrade to versions 2.2.26 or 2.9.3, which implement a patch to mitigate the issue. For more information, you can refer to this advisory and the release notes for updated versions.

Affected Version(s)

composer >= 2.0, < 2.2.26 < 2.0, 2.2.26

composer >= 2.3, < 2.9.3 < 2.3, 2.9.3

References

https://github.com/composer/composer/security/advisories/...
x_refsource_CONFIRM
https://github.com/composer/composer/commit/1d40a95c9d39a...
x_refsource_MISC
https://github.com/composer/composer/commit/5db1876a76fde...
x_refsource_MISC

CVSS V4

Score:
1.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.