The maintainers of Composer, a package deal supervisor for PHP, have shipped an replace to handle a essential vulnerability that might have allowed an attacker to execute arbitrary instructions and “backdoor each PHP package deal,” leading to a supply-chain assault.
Tracked as CVE-2021-29472, the safety concern was found and reported on April 22 by researchers from, following which a hotfix was deployed lower than 12 hours later.
“Mounted command injection vulnerability in HgDriver/HgDownloader and hardened different VCS drivers and downloaders,” Composerits for variations 2.0.13 and 1.10.22 launched on Wednesday. “To the very best of our information the vulnerability has not been exploited.”
is billed as a device for dependency administration in PHP, enabling straightforward set up of packages related to a challenge. It additionally permits customers to put in PHP functions which can be obtainable on , a repository that aggregates all public PHP packages installable with Composer.
In response to SonarSource, the vulnerability stems from the way in which package deal supply obtain URLs are dealt with, probably resulting in a situation the place an adversary may set off distant command injection. As proof of this habits, the researchers exploited theto craft a malicious Mercurial repository URL that takes benefit of its “ ” choice to execute a shell command of the attacker’s selection.
“A vulnerability in such a central element, serving greater than 100 million package deal metadata requests per thirty days, has a big impact as this entry may have been used to steal maintainers’ credentials or to redirect package deal downloads to third-party servers delivering backdoored dependencies,” SonarSource stated.
The Geneva-based code safety agency stated one of many bugs wasin November 2011, suggesting that the weak code lurked proper from the time growth on Composer to years in the past. The primary “alpha” model of Composer was launched on July 3, 2013.
“The affect to Composer customers immediately is proscribed because thefile is usually below their very own management and supply obtain URLs can solely be equipped by third celebration Composer repositories they explicitly belief to obtain and execute supply code from, e.g. Composer plugins,” Jordi Boggiano, one of many main builders behind Composer, .