Intel

AIKIDO-2026-688935

composer/composer is vulnerable to Improper Verification of Cryptographic Signature

Improper Verification of Cryptographic Signature Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 29, 2026

35

Low Risk

This Affects:

PHPcomposer/composer
1.0.0 - 2.10.0
Fixed in 2.10.1
Are you affected? Scan for Free

TL;DR

The self-update --rollback command restores the most recent backup *-old.phar from the Composer data-dir and installs it over composer.phar. The rollback path only runs a structural Phar parse and does not verify the backup against the published signature, unlike the normal self-update download path. On a host where the data-dir or the backup files are writable by other users, a low-privileged user can plant a malicious backup phar that is then executed when another user runs the rollback, leading to code execution as that user. The fix verifies the backup phar signature and warns when the data directory or backup file is owned by or writable by other users before restoring it.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run self-update --rollback on a system where the Composer data directory or backup phar files can be written by other users.

Background info

composer/composer is vulnerable to Improper Verification of Cryptographic Signature in versions 1.0.0 - 2.10.0.

How to fix this

Upgrade the composer/composer library to the patch version.