composer/composer is vulnerable to Path Traversal
61
Medium Risk
When Composer installs a package it changes the file mode of each entry declared in the package bin field so it becomes executable. If a bin entry contains .. path segments, it resolves to a path outside the package install directory, letting a malicious or compromised dependency make Composer chmod an arbitrary existing host file to a world-readable and world-executable mode. This runs during normal install, update, and require, is triggered by any direct or transitive dependency, and is not blocked by --no-scripts, --no-plugins, or allow-plugins. The fix rejects any package whose binary entry contains a .. segment and aborts before any permission is changed.
You are affected if you are using a version that falls within the vulnerable range and you install packages from an untrusted or compromised source, directly or transitively.
composer/composer is vulnerable to Path Traversal in versions 1.0.0 - 2.2.28 and 2.3.0 - 2.10.1.
Upgrade the composer/composer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant