composer/composer is vulnerable to Improper Verification of Cryptographic Signature
35
Low Risk
The self-update --rollback command restores the most recent backup *-old.phar from the Composer data-dir and installs it over composer.phar. The rollback path only runs a structural Phar parse and does not verify the backup against the published signature, unlike the normal self-update download path. On a host where the data-dir or the backup files are writable by other users, a low-privileged user can plant a malicious backup phar that is then executed when another user runs the rollback, leading to code execution as that user. The fix verifies the backup phar signature and warns when the data directory or backup file is owned by or writable by other users before restoring it.
You are affected if you are using a version that falls within the vulnerable range and you run self-update --rollback on a system where the Composer data directory or backup phar files can be written by other users.
composer/composer is vulnerable to Improper Verification of Cryptographic Signature in versions 1.0.0 - 2.10.0.
Upgrade the composer/composer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant