Generation of Error Message Containing Sensitive Information Affecting composer/composer package, versions <1.10.28>=2.0.0, <2.2.28>=2.3.0, <2.9.8

composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information where a GitHub OAuth token fails regex validation and is subsequently dumped into an exception message that gets printed to standard error/logs.

This is only exploitable if all these conditions are met:

• The rejected token is interpolated into the exception message. The exception bubbles up to Symfony Console's default error renderer, which writes it to stderr. Any environment that captures stderr (CI logs, log shippers, monitoring, support transcripts) now has the raw token.

• The validation regex ^[.A-Za-z0-9_]+$ does not permit -. GitHub's current ghs_<numeric-id>_<base64url-JWT> structured installation tokens routinely contain -, because base64url (RFC 4648 §5) uses - and _ as URL-safe replacements for + and /. The regex was chosen in 2021 on the understanding that GitHub tokens use only [A-Za-z0-9_] plus ..

Detection / mitigation in upstream platforms is unreliable. GitHub Actions' built-in secret masker matches registered values as exact substrings. When the exception message is rendered by Symfony Console it may wrap, embed in In BaseIO.php line N: framing, or interleave with ANSI control sequences. So the masker does not redact, and the plaintext token reaches the log.

• GitHub Advisory
• GitHub Commit