Critical PHP Composer Flaw Allows Command Execution

Critical PHP Composer Flaw Allows Command Execution

Posted on By CWS

Recent updates have been released for PHP Composer to fix two critical vulnerabilities that could allow command execution on systems. As a widely-used tool for dependency management among developers, any such flaws pose significant security risks.

Details of the Vulnerabilities

The vulnerabilities are found in the Perforce Version Control System (VCS) driver, potentially enabling attackers to run arbitrary commands on the affected system. Developers are advised to update to Composer version 2.9.6 or the long-term support version 2.2.27 immediately.

According to Nils Adermann’s security advisory, these issues arise from improper handling of shell commands, leading to potential exploitation.

Fortunately, there have been no reports of these vulnerabilities being exploited in the wild prior to the advisory’s publication.

Exploring the Security Flaws

The flaws present significant risks to developers, especially when dealing with untrusted projects or malicious package metadata.

CVE-2026-40176: Identified by saku0512, this vulnerability affects how Perforce commands are generated, allowing attackers to inject commands by altering connection parameters in a malicious composer.json file. Notably, this requires manual execution of Composer commands in an untrusted directory.

CVE-2026-40261: Discovered by Koda Reef, this flaw involves improper escaping of a system shell command parameter. It can be exploited without needing Perforce installed on the target machine, posing a high risk when malicious dependencies are installed.

Protective Measures and Recommendations

Security teams have proactively scanned major repositories like Packagist.org and Private Packagist, finding no current exploitation of these vulnerabilities. Publication of Perforce source metadata has been disabled on these platforms since April 10, 2026, as a precaution.

The most effective mitigation is to update Composer immediately using the command composer.phar self-update in the terminal. If immediate updates are not possible, consider these temporary measures:

  • Use the --prefer-dist flag to avoid installing from source.
  • Rely solely on trusted Composer package repositories.
  • Examine composer.json files of untrusted projects carefully, ensuring all fields related to Perforce are valid.

Developers using self-hosted Private Packagist solutions should expect updates soon, including tools for scanning malicious metadata.

Stay informed with our latest cybersecurity updates by following us on Google News, LinkedIn, and X. Contact us to feature your stories.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

DarkSpectre Hackers Infected 8.8 Million Chrome, Edge, and Firefox Users with Malware DarkSpectre Hackers Infected 8.8 Million Chrome, Edge, and Firefox Users with Malware Cyber Security News
APT-C-60 Attacking Job Seekers to Download Weaponized VHDX File from Google Drive to Steal Sensitive Data APT-C-60 Attacking Job Seekers to Download Weaponized VHDX File from Google Drive to Steal Sensitive Data Cyber Security News
JDownloader Site Incident: Malicious Installers Found JDownloader Site Incident: Malicious Installers Found Cyber Security News
Critical Zimbra SSRF Vulnerability Let Attackers Access Sensitive Data Critical Zimbra SSRF Vulnerability Let Attackers Access Sensitive Data Cyber Security News
87,000+ MongoDB Instances Vulnerable to MongoBleed Flaw Exposed Online 87,000+ MongoDB Instances Vulnerable to MongoBleed Flaw Exposed Online Cyber Security News
Hackers Exploit Outlook for Linux Backdoor Stealth Hackers Exploit Outlook for Linux Backdoor Stealth Cyber Security News