CVE-2021-29472

Name of the Vulnerable Software and Affected Versions Composer versions prior to 1.10.22 Composer versions prior to 2.0.13

Description The issue is related to the incorrect sanitization of URLs for Mercurial repositories in the root composer.json and package source download URLs. This allows specifically crafted URL values to execute code in the HgDriver if hg/Mercurial is installed on the system. The impact is mainly to services passing user input to Composer, including Packagist.org and Private Packagist, as it allows users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12 hours of receiving the initial vulnerability report, and based on a review of logs, it is believed that the vulnerability was not abused by anyone.

Recommendations For versions prior to 1.10.22, upgrade to version 1.10.22 or later to patch the issue. For versions prior to 2.0.13, upgrade to version 2.0.13 or later to patch the issue. As a temporary workaround, consider disabling the HgDriver until a patch is available. Restrict access to the VcsRepository/VcsDriver or derivatives to minimize the risk of exploitation. Avoid using specially crafted URL values in the composer.json file and package source download URLs until the issue is resolved.