CVE-2023-43655
published 2023-09-29CVE-2023-43655: Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.38%
68.7th percentile
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| composer | composer | < 1.10.27 | 1.10.27 |
| composer | composer | — | — |
| composer | composer | — | — |
| composer | composer | >= 0 < 2.6.4-1 | 2.6.4-1 |
| composer | composer | >= 0 < 2.6.4-1 | 2.6.4-1 |
| composer | composer | >= 0 < 1.10.27 | 1.10.27 |
| composer | composer | >= 0 < 1.0.0~beta2-1ubuntu0.1~esm2 | 1.0.0~beta2-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 1.6.3-1ubuntu0.1~esm2 | 1.6.3-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 1.10.1-1ubuntu0.1~esm2 | 1.10.1-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 2.2.6-2ubuntu4+esm1 | 2.2.6-2ubuntu4+esm1 |
| composer | composer | >= 0 < 2.7.1-2ubuntu0.1~esm1 | 2.7.1-2ubuntu0.1~esm1 |
| composer | composer | >= 2.0.0 < 2.2.22 | 2.2.22 |
| composer | composer | >= 2.3.0 < 2.6.4 | 2.6.4 |
| debian | composer | < composer 2.6.4-1 (forky) | composer 2.6.4-1 (forky) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| getcomposer | composer | < 1.10.27 | 1.10.27 |
| getcomposer | composer | >= 2.0.0 < 2.2.21 | 2.2.21 |
| getcomposer | composer | >= 2.3.0 < 2.6.4 | 2.6.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect web-accessible composer.phar being executed as a PHP file, which is the attack surface for this RCE vulnerability ↗
- →Flag presence of register_argc_argv=On in php.ini as a prerequisite condition enabling this vulnerability ↗
- →Composer did not correctly handle certain arguments — monitor for unexpected argument injection in Composer invocations, especially via web requests ↗
- ·Vulnerability only triggers when both conditions are met: composer.phar is published to a public web-accessible server AND PHP has register_argc_argv enabled ↗
- ·Mitigation without upgrading requires disabling register_argc_argv in php.ini AND not publishing composer.phar to the web ↗
- ·Patched versions are 2.6.4, 2.2.22, and 1.10.27 — any Composer version below these on a web-accessible server with register_argc_argv=On is vulnerable ↗
- ·Debian Bookworm and Bullseye remain open/unpatched per the security tracker at time of source capture ↗
- ·Ubuntu affected versions include 16.04 LTS, 18.04 LTS, 20.04 LTS, and 22.04 LTS ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_ubuntu8.3HIGH
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
composer vulnerabilities
osv·2025-06-30·CVSS 8.8
CVE-2022-24828 [HIGH] composer vulnerabilities
composer vulnerabilities
Thomas Chauchefoin discovered that Composer did not correctly handle
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24828, CVE-2023-43655)
Ed Cradock discovered that Composer did not correctly handle the exclusion
of certain files. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)
Martin Haunschmid discovered that Composer did not correctly handle git
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35241)
Maciej Piechota discovered that Composer did not correctly handle VCS
branch names. An
OSV
Composer Remote Code Execution vulnerability via web-accessible composer.phar
osv·2023-09-29
CVE-2023-43655 [HIGH] Composer Remote Code Execution vulnerability via web-accessible composer.phar
Composer Remote Code Execution vulnerability via web-accessible composer.phar
### Impact
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.
### Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
### Workarounds
Make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.
OSV
CVE-2023-43655: Composer is a dependency manager for PHP
osv·2023-09-29·CVSS 8.8
CVE-2023-43655 [HIGH] CVE-2023-43655: Composer is a dependency manager for PHP
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
GHSA
Composer Remote Code Execution vulnerability via web-accessible composer.phar
ghsa·2023-09-29
CVE-2023-43655 [HIGH] CWE-74 Composer Remote Code Execution vulnerability via web-accessible composer.phar
Composer Remote Code Execution vulnerability via web-accessible composer.phar
### Impact
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.
### Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
### Workarounds
Make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.
Ubuntu
Composer vulnerabilities
vendor_ubuntu·2025-06-30·CVSS 8.3
CVE-2024-35241 [HIGH] Composer vulnerabilities
Title: Composer vulnerabilities
Summary: Several security issues were fixed in Composer.
Thomas Chauchefoin discovered that Composer did not correctly handle
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24828, CVE-2023-43655)
Ed Cradock discovered that Composer did not correctly handle the exclusion
of certain files. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)
Martin Haunschmid discovered that Composer did not correctly handle git
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35241)
Maciej Piechota discov
Debian
CVE-2023-43655: composer - Composer is a dependency manager for PHP. Users publishing a composer.phar to a ...
vendor_debian·2023·CVSS 6.4
CVE-2023-43655 [MEDIUM] CVE-2023-43655: composer - Composer is a dependency manager for PHP. Users publishing a composer.phar to a ...
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.6.4-1)
sid: resolved (fixed in 2.6.4-1)
trixie: resolved (fixed in 2.6.4-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120dhttps://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968chttps://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9chttps://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hfhttps://lists.debian.org/debian-lts-announce/2024/03/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/https://lists.fedoraproject.org/archives/list/[email protected]/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/https://lists.fedoraproject.org/archives/list/[email protected]/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120dhttps://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968chttps://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9chttps://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hfhttps://lists.debian.org/debian-lts-announce/2024/03/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/https://lists.fedoraproject.org/archives/list/[email protected]/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/https://lists.fedoraproject.org/archives/list/[email protected]/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/
2023-09-29
Published