CVE-2024-24821

Name of the Vulnerable Software and Affected Versions Composer versions prior to 2.7.0 Composer versions prior to 2.2.23

Description The vulnerability is related to the inclusion of functions from an untrusted controlled area in the Composer dependency manager for PHP. Under certain conditions, arbitrary code execution may lead to local privilege escalation, provide lateral user movement, or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. High-risk scenarios include Composer being run with sudo, pipelines executing Composer on untrusted projects, and shared environments with developers running Composer individually on the same project.

Recommendations For versions prior to 2.7.0 and 2.2.23, update to version 2.7.0 or 2.2.23 to address the vulnerability. Where updating is not possible, remove all sudo composer privileges for all users to mitigate root privilege escalation. Avoid running Composer within an untrusted directory, or verify that the contents of vendor/composer/InstalledVersions.php and vendor/composer/installed.php do not include untrusted code. A reset can also be done on these files by running the following commands: rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins