CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource.

Fixes for Packagist.org and Private Packagist were deployed within 24 hours of receiving the report of remote command execution on April 7th, 2022.

To the best of our knowledge the vulnerability has not been exploited


Cause of the Vulnerability

This issue is similar to the command injection vulnerability Thomas Chauchefoin discovered a year ago. An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project's composer.json can use specially crafted branch names to execute commands on the machine running composer update.

In this instance the -- argument delimiter referenced in last year's vulnerability post was not available for separating the branch name from the used command. The attacker can control input which ends up being interpreted as parameters for the git or hg commands executed by Composer which leads to the ability to execute other commands.

Input validation has been added to Composer to disallow branch names starting with a dash to prevent exploitation of this issue. Newer versions of git added --end-of-options to help separate arguments, but this isn't available on all git versions which Composer supports, yet.

Impact on Packagist.org and Private Packagist

Both Packagist.org and Private Packagist use the Composer VCS drivers to load package information from Git and Mercurial repositories, and were thus vulnerable to this attack. The vulnerability does not extend to installing packages from Packagist.org or Private Packagist, even when using --prefer-source to clone repositories into the vendor directory.

Based on a review of logs, and an audit of database contents we do not believe this vulnerability to have been exploited on either of our services.

We have made Private Packagist Self-Hosted 1.11.3 available with the updated Composer version. The vulnerability could only have been exploited by anyone controlling a VCS repository you explicitly added to your Private Packagist Self-Hosted installation. After installing the update you can run the command replicated admin audit --vulnerability=CVE-2022-24828 to check for any compromising packages or files containing exploit code. Further details on analyzing your installation for integrity are available through the release notification or upon request from our support at contact@packagist.com.

Library Use of Composer

If you maintain a service or tool passing user input to Composer, apart from updating Composer immediately, you should review that all input you pass to Composer is properly validated and you do not accept branch names or file names with leading dashes when calling VcsDriver::getFileContents.