composer/composer is vulnerable to Information Disclosure
47
Medium Risk
Composer masks the password portion of credentials embedded in repository or package URLs, but it prints the username portion in clear text when run with debug verbosity. Because services such as GitHub accept an access token in the username slot of a URL (for example https://TOKEN@github.com/owner/repo), a token used that way is written in full to Composer debug output. The credential is exposed to anyone who can read that output, such as CI build logs or pasted terminal sessions. The fix masks the username the same way the password is already masked, showing only a short non-secret prefix.
You are affected if you are using a version that falls within the vulnerable range and you embed a credential in the username position of a URL Composer handles and run Composer with debug verbosity.
composer/composer is vulnerable to Information Disclosure in versions 1.0.0 - 2.2.28 and 2.3.0 - 2.10.1.
Upgrade the composer/composer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant