You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Composer Remote Code Execution vulnerability via web-accessible composer.phar
High severity
GitHub Reviewed
Published
Sep 29, 2023
in
composer/composer
•
Updated Mar 27, 2024
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.
Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
Workarounds
Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.
Impact
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has
register_argc_argv
enabled in php.ini.Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
Workarounds
Make sure
register_argc_argv
is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.References