Intel

AIKIDO-2026-625824

composer/composer is vulnerable to Path Traversal

Path TraversalGHSA-gjfg-22fp-rrxx Published 6 days ago

61

Medium Risk

This Affects:

PHPcomposer/composer
1.0.0 - 2.2.28
Fixed in 2.2.29
2.3.0 - 2.10.1
Fixed in 2.10.2
Are you affected? Scan for Free

TL;DR

When Composer installs a package it changes the file mode of each entry declared in the package bin field so it becomes executable. If a bin entry contains .. path segments, it resolves to a path outside the package install directory, letting a malicious or compromised dependency make Composer chmod an arbitrary existing host file to a world-readable and world-executable mode. This runs during normal install, update, and require, is triggered by any direct or transitive dependency, and is not blocked by --no-scripts, --no-plugins, or allow-plugins. The fix rejects any package whose binary entry contains a .. segment and aborts before any permission is changed.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you install packages from an untrusted or compromised source, directly or transitively.

Background info

composer/composer is vulnerable to Path Traversal in versions 1.0.0 - 2.2.28 and 2.3.0 - 2.10.1.

How to fix this

Upgrade the composer/composer library to the patch version.