Getcomposer Composer vulnerabilities

CVE-2025-67746 [LOW] CWE-74 CVE-2025-67746: Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, a Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal appli

CVE-2024-24821 [HIGH] CWE-829 CVE-2024-24821: Composer is a dependency Manager for the PHP language. In affected versions several files within the Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicio

CVE-2023-43655 [HIGH] CWE-74 CVE-2023-43655: Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessibl Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised

CVE-2015-8371 [HIGH] CWE-345 CVE-2015-8371: Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This r Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (

CVE-2022-24828 [HIGH] CWE-20 CVE-2022-24828: Composer is a dependency manager for the PHP programming language. Integrators using Composer code t Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a

CVE-2021-41116 [CRITICAL] CWE-77 CVE-2021-41116: Composer is an open source dependency manager for the PHP language. In affected versions windows use Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no wor

CVE-2021-29472 [HIGH] CWE-88 CVE-2021-29472: Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file