Intel

AIKIDO-2026-727366

composer/composer is vulnerable to Arbitrary File Write

Arbitrary File WriteGHSA-499r-g7pc-vmp9 Published 6 days ago

70

High Risk

This Affects:

PHPcomposer/composer
1.0.0 - 2.2.28
Fixed in 2.2.29
2.3.0 - 2.10.1
Fixed in 2.10.2
Are you affected? Scan for Free

TL;DR

Composer does not fully validate the names of packages produced by dependency resolution before writing them to composer.lock or installing them. A maliciously crafted package served from an untrusted third-party repository can use an invalid package name to make Composer write attacker-controlled files outside the vendor/ directory and outside the project during a normal install or update. This arbitrary file write can be leveraged to execute code outside the expected package context by planting shell startup files, SSH authorized_keys, or cron entries. The fix validates every resolved package name and aborts with a security error when a name is not a valid vendor/package name.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you install packages from an untrusted third-party repository that does not correctly validate package names.

Background info

composer/composer is vulnerable to Arbitrary File Write in versions 1.0.0 - 2.2.28 and 2.3.0 - 2.10.1.

How to fix this

Upgrade the composer/composer library to the patch version.