Two critical security flaws have been identified and addressed in Composer, the widely-used package manager for PHP. These vulnerabilities, if exploited, could lead to arbitrary command execution, posing significant risks to developers and their systems. The flaws are specifically linked to the Perforce version control system (VCS) driver used within Composer.
Details of the Vulnerabilities
The first vulnerability, tracked as CVE-2026-40176 with a CVSS score of 7.8, involves improper input validation. It allows malicious actors to manipulate a composer.json file to introduce arbitrary commands, potentially executing them under the user’s context who is running Composer. The second vulnerability, CVE-2026-40261, bears a higher CVSS score of 8.8. This flaw arises from inadequate escaping, enabling attackers to inject harmful commands via crafted source references that include shell metacharacters.
In both scenarios, the injected commands could be executed by Composer even if the Perforce VCS is not installed, as per the maintainers’ advisory.
Affected Versions and Security Recommendations
The vulnerabilities affect Composer versions between 2.3 and 2.9.6, and 2.0 and 2.2.27. These issues have been rectified in versions 2.9.6 and 2.2.27, respectively. Users are strongly urged to update their Composer installations immediately to these secure versions.
For those who cannot apply the patches immediately, it is recommended to thoroughly inspect composer.json files for any suspicious configurations before executing Composer commands. Ensuring the use of trusted repositories and avoiding the installation of dependencies with the ‘–prefer-dist’ or ‘preferred-install: dist’ settings are also advised.
Proactive Measures and Future Outlook
Composer’s team has proactively scanned Packagist.org, the central repository for PHP packages, and has found no evidence of these vulnerabilities being exploited through the distribution of malicious packages. In response to the discovery, the publication of Perforce source metadata on Packagist.org has been disabled as a precautionary measure since April 10, 2026. A new release is anticipated for Private Packagist Self-Hosted users to further enhance security measures.
In conclusion, while no active exploitation has been detected, the immediate application of these patches is crucial to safeguard against potential threats. Keeping software up-to-date and adhering to best practices in security configurations remain pivotal in protecting systems from such vulnerabilities.
