Skip to content

Command injection via malicious git branch name

High
Seldaek published GHSA-47f6-5gq3-vx9c Jun 10, 2024

Package

composer composer/composer (Composer)

Affected versions

>=2.0,<2.2.24 || >=2.3,<2.7.7

Patched versions

2.2.24, 2.7.7

Description

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

Severity

High

CVE ID

CVE-2024-35241

Weaknesses

No CWEs

Credits