CVE-2023-43655Injection in Composer

CWE-74Injection8 documents6 sources
Severity
8.8HIGHNVD
CNA6.4
EPSS
2.1%
top 16.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
ComposerGetcomposer ComposerDebian Linux+1 more
Timeline
PublishedSep 29
Latest updateJun 30

Description

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

CVEListV5composer/composer< 1.10.27+2
Packagistcomposer/composer2.0.02.2.22+2
NVDgetcomposer/composer2.0.02.2.21+2
Debiancomposer/composer< 2.6.4-1+1
Ubuntucomposer/composer< 1.0.0~beta2-1ubuntu0.1~esm2+4

Also affects: Debian Linux 10.0, Fedora 37, 38

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
composer vulnerabilities2025-06-30
OSV
Composer Remote Code Execution vulnerability via web-accessible composer.phar2023-09-29
CVEList
Remote Code Execution via web-accessible composer.phar2023-09-29
OSV
CVE-2023-43655: Composer is a dependency manager for PHP2023-09-29
GHSA
Composer Remote Code Execution vulnerability via web-accessible composer.phar2023-09-29

📋Vendor Advisories

2
Ubuntu
Composer vulnerabilities2025-06-30
Debian
CVE-2023-43655: composer - Composer is a dependency manager for PHP. Users publishing a composer.phar to a ...2023
CVE-2023-43655 — Injection in Composer | cvebase