You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Composer has multiple command injections via malicious git/hg branch names
High severity
GitHub Reviewed
Published
Jun 10, 2024
in
composer/composer
•
Updated Jun 20, 2024
The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
Impact
The
composer install
command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid cloning potentially compromised repositories.
References