Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting composer/composer package, versions <1.10.27>=2.0.0, <2.2.22>=2.3.0, <2.6.4


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
1.13% (86th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-COMPOSERCOMPOSER-5926702
  • published1 Oct 2023
  • disclosed29 Sept 2023
  • creditthomas-chauchefoin-sonarsource

Introduced: 29 Sep 2023

CVE-2023-43655  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

Upgrade composer/composer to version 1.10.27, 2.2.22, 2.6.4 or higher.

Overview

composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') when the composer.phar is published to a public web-accessible server where it can be executed as a php file. An attacker can execute arbitrary code remotely if PHP also has register_argc_argv enabled in php.ini.

Note: This is only exploitable if register_argc_argv is enabled in php.ini and composer.phar is published to the web.

Workaround

This vulnerability can be mitigated by disabling register_argc_argv in php.ini, and avoiding publishing composer.phar to the web.

CVSS Scores

version 3.1