composer/composer is vulnerable to Arbitrary File Write
70
High Risk
Composer does not fully validate the names of packages produced by dependency resolution before writing them to composer.lock or installing them. A maliciously crafted package served from an untrusted third-party repository can use an invalid package name to make Composer write attacker-controlled files outside the vendor/ directory and outside the project during a normal install or update. This arbitrary file write can be leveraged to execute code outside the expected package context by planting shell startup files, SSH authorized_keys, or cron entries. The fix validates every resolved package name and aborts with a security error when a name is not a valid vendor/package name.
You are affected if you are using a version that falls within the vulnerable range and you install packages from an untrusted third-party repository that does not correctly validate package names.
composer/composer is vulnerable to Arbitrary File Write in versions 1.0.0 - 2.2.28 and 2.3.0 - 2.10.1.
Upgrade the composer/composer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant