Composer · Composer · CVE-2024-35242
**Name of the Vulnerable Software and Affected Versions**
Composer versions prior to 2.2.24 and 2.7.7
**Description**
The issue is related to the `composer install` command running inside a git/hg repository with specially crafted branch names, which can lead to command injection. This requires cloning untrusted repositories.
**Recommendations**
For versions prior to 2.2.24, update to version 2.2.24 for 2.2 LTS.
For versions prior to 2.7.7, update to version 2.7.7 for mainline.
As a temporary workaround, avoid cloning potentially compromised repositories.