Composer
Monthly
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.
Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.
Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.
Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. Reported through ZDI (ZDI-26-384, ZDI-CAN-27990); no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but an upstream source fix is available.
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 5.4 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Composer is a dependency manager for the PHP programming language. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Composer is an open source dependency manager for the PHP language. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.
Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.
Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.
Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. Reported through ZDI (ZDI-26-384, ZDI-CAN-27990); no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but an upstream source fix is available.
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 5.4 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Composer is a dependency manager for the PHP programming language. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Composer is an open source dependency manager for the PHP language. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.