Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from SonarSource.

Fixes for Packagist.org and Private Packagist were deployed within 12 hours of receiving the report of remote command execution on April 22nd, 2021.

To the best of our knowledge the vulnerability has not been exploited.


Cause of the Vulnerability

URLs for repositories in root composer.json files and package source download URLs were not sanitized sufficiently and could be interpreted as options for system commands executed by Composer (parameter injection). This problem alone does not yet allow command execution, as the values are appropriately escaped. The parameter injection has been fixed all across Composer with help by Thomas Chauchefoin from SonarSource by separating positional command arguments from options with the -- separator where possible, e.g. hg clone -- '$URL' instead of hg clone '$URL'.

Because Mercurial's commands offer a --config option to temporarily override configuration values, and because alias configuration allows redefining Mercurial subcommands to arbitrary system commands, a value can be crafted allowing system commands to be executed in the HgDriver if Mercurial (executable called "hg") is installed on the system.

So systems which do not have Mercurial installed are safe from this particular vulnerability.

Impact on Packagist.org and Private Packagist

Both Packagist.org and Private Packagist were theoretically vulnerable to an attack with package URLs crafted to trigger Mercurial to execute system commands. Based on a review of logs, and an audit of database contents we do not believe this vulnerability to have been exploited on either of our services.

For our self-hosted product Private Packagist Enterprise we have made version 1.10.6 available with the updated Composer version. After installing the update you can run the command replicated admin audit --vulnerability=CVE-2021-29472 to check for any compromising packages or processed jobs. Further details on analyzing your installation for integrity are available through the release notification or upon request from our support at contact@packagist.com.

As a precaution after updating Composer we recommend you audit your composer.lock files to ensure they only contain URLs and none which start with -- , e.g. --config and could be considered command line options. Should you find any such URL values despite our belief that this vulnerability was not exploited in the wild, please contact us immediately by email to security@packagist.org.

In general we always recommend you review changes you make to your lock files to ensure no untrusted dependencies or external URLs are introduced to your application. Please note that Packagist.org is only a metadata server and package contents are downloaded from a location chosen by the package maintainers. Private Packagist will store copies of mirrored package contents, so Composer can download them from there, but the lock files will still contain the maintainers' original URLs for reference and as a fallback.

If you maintain a service passing user input to Composer, apart from updating Composer immediately, you may wish to add your own validation for user input before passing it to Composer, e.g. add validation of URLs.