CVE-2024-35242 HIGH

CVE-2024-35242: Composer vulnerable to command injection via malicious git/hg branch names

Vendor Composer
Product composer
Weakness CWE-77
Published June 10, 2024
Last update February 13, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Key dates

02Disclosure timeline

June 10, 2024 CVE published
February 13, 2025 Record updated