CVE-2022-24828

CWE-20Improper Input ValidationCWE-88CWE-94Code Injection8 documents6 sources
Severity
8.8HIGH
EPSS
0.3%
top 49.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Composer ComposerGetcomposer ComposerTenable Tenable.sc+1 more
Timeline
PublishedApr 13
Latest updateJun 30

Description

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data the

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.6 | Impact: 6.0

Affected Packages6 packages

CVEListV5composer/composer< 1.10.26+2
Packagistcomposer/composer2.02.2.12+2
NVDgetcomposer/composer2.0.02.2.12+2
Debiancomposer< 2.0.9-2+deb11u1+3
Ubuntucomposer< 1.0.0~beta2-1ubuntu0.1~esm2+4

Also affects: Fedora 34, 35, 36

Patches

Patch: github.comPatch: www.tenable.comPatch: github.com

🔴Vulnerability Details

5
OSV
composer vulnerabilities2025-06-30
GHSA
Missing input validation can lead to command execution in composer2022-04-22
OSV
Missing input validation can lead to command execution in composer2022-04-22
CVEList
Missing input validation can lead to command execution in composer2022-04-13
OSV
CVE-2022-24828: Composer is a dependency manager for the PHP programming language2022-04-13

📋Vendor Advisories

2
Ubuntu
Composer vulnerabilities2025-06-30
Debian
CVE-2022-24828: composer - Composer is a dependency manager for the PHP programming language. Integrators u...2022