CVE-2023-43655 MEDIUM

CVE-2023-43655: Remote Code Execution via web-accessible composer.phar

Vendor Composer
Product composer
Weakness CWE-74
Published September 29, 2023
Last update June 18, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Key dates

02Disclosure timeline

September 29, 2023 CVE published
June 18, 2025 Record updated