CVE-2024-24821Inclusion of Functionality from Untrusted Control Sphere in Composer

CWE-829Inclusion of Functionality from Untrusted Control Sphere8 documents6 sources
Severity
7.8HIGHNVD
CNA8.8
EPSS
0.1%
top 68.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ComposerGetcomposer Composer
Timeline
PublishedFeb 9
Latest updateJun 30

Description

Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar'

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

Packagistcomposer/composer2.0.0-alpha12.2.23+1
NVDgetcomposer/composer2.0.02.2.23+1
Debiancomposer/composer< 2.0.9-2+deb11u2+3
CVEListV5composer/composer>= 2.0, < 2.2.23, >= 2.3, < 2.7+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
composer vulnerabilities2025-06-30
OSV
CVE-2024-24821: Composer is a dependency Manager for the PHP language2024-02-09
OSV
Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php2024-02-08
GHSA
Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php2024-02-08
CVEList
Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer2024-02-08

📋Vendor Advisories

2
Ubuntu
Composer vulnerabilities2025-06-30
Debian
CVE-2024-24821: composer - Composer is a dependency Manager for the PHP language. In affected versions seve...2024
CVE-2024-24821 — Getcomposer Composer vulnerability | cvebase