Martinhaunschmid

**Name of the Vulnerable Software and Affected Versions** Composer versions prior to 2.2.24 and 2.7.7 **Description** The issue is related to the incorrect neutralization of special elements in the `getUnpushedChanges()` function of the Composer dependency manager for PHP. This can allow a remote attacker to execute arbitrary commands using the `status`, `reinstall`, and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository. **Recommendations** For versions prior to 2.2.24, update to version 2.2.24 for the 2.2 LTS branch. For versions prior to 2.7.7, update to version 2.7.7 for the mainline branch. As a temporary workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.