Intel

AIKIDO-2026-451217

composer/composer is vulnerable to Information Disclosure

Information DisclosureGHSA-g6xq-892h-64w3 Published 6 days ago

47

Medium Risk

This Affects:

PHPcomposer/composer
1.0.0 - 2.2.28
Fixed in 2.2.29
2.3.0 - 2.10.1
Fixed in 2.10.2
Are you affected? Scan for Free

TL;DR

Composer masks the password portion of credentials embedded in repository or package URLs, but it prints the username portion in clear text when run with debug verbosity. Because services such as GitHub accept an access token in the username slot of a URL (for example https://TOKEN@github.com/owner/repo), a token used that way is written in full to Composer debug output. The credential is exposed to anyone who can read that output, such as CI build logs or pasted terminal sessions. The fix masks the username the same way the password is already masked, showing only a short non-secret prefix.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you embed a credential in the username position of a URL Composer handles and run Composer with debug verbosity.

Background info

composer/composer is vulnerable to Information Disclosure in versions 1.0.0 - 2.2.28 and 2.3.0 - 2.10.1.

How to fix this

Upgrade the composer/composer library to the patch version.