On March 9th, the Git project published new releases for maintained branches to address security vulnerability CVE-2021-21300. We recommend you update your Git installation to a release containing the fix.

On case-insensitive filesystems with symbolic links (e.g. Windows/NTFS, or OS X/APFS) the vulnerability allows git repositories to use delay-capable clean/smudge filters (such as Git LFS) to execute remote code during a git clone operation. So an attacker can craft a Git repository which will get your machine to run the attacker's code when you clone their Git repository.

If you cannot update to one of the secure versions (v2.17.6, v2.18.5, v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1, v2.28.1, v2.29.3, and v2.30.2), GitHub suggests one of the follow mitigation steps:

  • Disable support for symbolic links in Git by running git config --global core.symlinks false.
  • Disable support for process filters. (You can see if any of these are configured on your system by running git config --show-scope --get-regexp 'filter\..*\.process' - In the Windows Command Prompt, replace the single quotes in this example with double quotes.)
  • Avoid cloning untrusted repositories.

We are alerting you to this problem because Composer will automatically use Git to clone repositories of your dependencies in some situations. GitHub and Packagist themselves are not affected by this vulnerability. For any packages you install in a development version, e.g. (dev-main, dev-feature-x, 2.x-dev) Composer will by default clone the underlying Git repository rather than downloading and extracting an archive file. If you use the --prefer-source option Composer will always attempt to clone source repositories for your dependencies if possible. Packagist.org does not host any of the files or git repositories, so you are directly downloading code from the maintainers of the dependency when you install Packagist.org dependencies.

You can change Composer's default behavior by using the --prefer-dist option on Composer commands, it will then try to download and extract a dist/archive/zip file. But if a package does not list any dist URLs at all, a git clone will still be performed. In the upcoming Composer 2.1 release --prefer-dist will become the default installation behavior.

Private Packagist ensures all your dependencies always have dist files available for all versions. So if you use Private Packagist --prefer-dist will protect you in all cases. Private Packagist does not host or proxy git repositories. So if you install third party dependencies from source, you still need to ensure your machines are not vulnerable. So we still recommend you update your Git installations.