CVE-2025-67746

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Composer versions prior to 2.2.26 Composer versions prior to 2.9.3

Description Composer, a dependency manager for PHP, may allow attackers who control remote sources from which Composer downloads to inject ANSI control characters into the terminal output of various Composer commands. This can result in distorted output and potentially cause a denial-of-service condition for the terminal application. There is no known exploit for this issue, but it is considered potentially abusable.

Recommendations Update to Composer version 2.2.26 or later. Update to Composer version 2.9.3 or later.

Exploit

Fix

DoS

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

BDU:2026-03590

BIT-COMPOSER-2025-67746

CVE-2025-67746

GHSA-59PP-R3RG-353G

OPENSUSE-SU-2026:10054-1

OPENSUSE-SU-2026:20670-1

RHSA-2026:8165

SUSE-SU-2026:0825-1

SUSE-SU-2026:0935-1

SUSE-SU-2026:1970-1

SUSE-SU-2026:21542-1

Affected Products

Composer

Debian

Red Os

CVE-2025-67746

Weakness Enumeration

Related Identifiers

Affected Products

References · 31