Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar's self-update.
The following are of high risk:
Composer being run with sudo.
Pipelines which may execute Composer on untrusted projects.
Shared environments with developers who run Composer individually on the same project.
Patches
2.7.0, 2.2.23
Workarounds
It is advised that the patched versions are applied at the earliest convenience.
Where not possible, the following should be addressed:
Remove all sudo composer privileges for all users to mitigate root privilege escalation.
Avoid running Composer within an untrusted directory, or if needed, verify that the contents of vendor/composer/InstalledVersions.php and vendor/composer/installed.php do not include untrusted code.
A reset can also be done on these files by the following:
composer/composer (composer/composer)
### [`v2.7.0`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#270-2024-02-08)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.6...2.7.0)
- Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
- Changed the default of the `audit.abandoned` config setting to `fail`, set it to `report` or `ignore` if you do not want this, or set it via `COMPOSER_AUDIT_ABANDONED` env var ([#11643](https://togithub.com/composer/composer/issues/11643))
- Added --minimal-changes (-m) flag to `update`/`require`/`remove` commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies ([#11665](https://togithub.com/composer/composer/issues/11665))
- Added --sort-by-age (-A) flag to `outdated`/`show` commands to allow sorting by and displaying the release date (most outdated first) ([#11762](https://togithub.com/composer/composer/issues/11762))
- Added support for `--self` combined with `--installed` or `--locked` in `show` command, to add the root package to the package list being output ([#11785](https://togithub.com/composer/composer/issues/11785))
- Added severity information to `audit` command output ([#11702](https://togithub.com/composer/composer/issues/11702))
- Added `scripts-aliases` top level key in composer.json to define aliases for custom scripts you defined ([#11666](https://togithub.com/composer/composer/issues/11666))
- Added IPv4 fallback on connection timeout, as well as a `COMPOSER_IPRESOLVE` env var to force IPv4 or IPv6, set it to `4` or `6` ([#11791](https://togithub.com/composer/composer/issues/11791))
- Added support for wildcards in `outdated`'s --ignore arg ([#11831](https://togithub.com/composer/composer/issues/11831))
- Added support for `bump` command bumping `*` to `>=current version` ([#11694](https://togithub.com/composer/composer/issues/11694))
- Added detection of constraints that cannot possibly match anything to `validate` command ([#11829](https://togithub.com/composer/composer/issues/11829))
- Added package source information to the output of `install` when running in very verbose (-vv) mode ([#11763](https://togithub.com/composer/composer/issues/11763))
- Added audit of Composer's own bundled dependencies in `diagnose` command ([#11761](https://togithub.com/composer/composer/issues/11761))
- Added GitHub token expiration date to `diagnose` command output ([#11688](https://togithub.com/composer/composer/issues/11688))
- Added non-zero status code to why/why-not commands ([#11796](https://togithub.com/composer/composer/issues/11796))
- Added error when calling `show --direct ` with an indirect/transitive dependency ([#11728](https://togithub.com/composer/composer/issues/11728))
- Added `COMPOSER_FUND=0` env var to hide calls for funding ([#11779](https://togithub.com/composer/composer/issues/11779))
- Fixed `bump` command not bumping packages required with a `v` prefix ([#11764](https://togithub.com/composer/composer/issues/11764))
- Fixed automatic disabling of plugins when running non-interactive as root
- Fixed `update --lock` not keeping the dist reference/url/checksum pinned ([#11787](https://togithub.com/composer/composer/issues/11787))
- Fixed `require` command crashing at the end if no lock file is present ([#11814](https://togithub.com/composer/composer/issues/11814))
- Fixed root aliases causing problems when auditing locked dependencies ([#11771](https://togithub.com/composer/composer/issues/11771))
- Fixed handling of versions with 4 components in `require` command ([#11716](https://togithub.com/composer/composer/issues/11716))
- Fixed compatibility issues with Symfony 7
- Fixed composer.json remaining behind after a --dry-run of the `require` command ([#11747](https://togithub.com/composer/composer/issues/11747))
- Fixed warnings being shown incorrectly under some circumstances ([#11786](https://togithub.com/composer/composer/issues/11786), [#11760](https://togithub.com/composer/composer/issues/11760), [#11803](https://togithub.com/composer/composer/issues/11803))
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^2.6.4->^2.7.0GitHub Vulnerability Alerts
CVE-2024-24821
Impact
Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar's self-update.
The following are of high risk:
Patches
2.7.0, 2.2.23
Workarounds
Where not possible, the following should be addressed:
vendor/composer/InstalledVersions.phpandvendor/composer/installed.phpdo not include untrusted code.A reset can also be done on these files by the following:
Release Notes
composer/composer (composer/composer)
### [`v2.7.0`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#270-2024-02-08) [Compare Source](https://togithub.com/composer/composer/compare/2.6.6...2.7.0) - Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821) - Changed the default of the `audit.abandoned` config setting to `fail`, set it to `report` or `ignore` if you do not want this, or set it via `COMPOSER_AUDIT_ABANDONED` env var ([#11643](https://togithub.com/composer/composer/issues/11643)) - Added --minimal-changes (-m) flag to `update`/`require`/`remove` commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies ([#11665](https://togithub.com/composer/composer/issues/11665)) - Added --sort-by-age (-A) flag to `outdated`/`show` commands to allow sorting by and displaying the release date (most outdated first) ([#11762](https://togithub.com/composer/composer/issues/11762)) - Added support for `--self` combined with `--installed` or `--locked` in `show` command, to add the root package to the package list being output ([#11785](https://togithub.com/composer/composer/issues/11785)) - Added severity information to `audit` command output ([#11702](https://togithub.com/composer/composer/issues/11702)) - Added `scripts-aliases` top level key in composer.json to define aliases for custom scripts you defined ([#11666](https://togithub.com/composer/composer/issues/11666)) - Added IPv4 fallback on connection timeout, as well as a `COMPOSER_IPRESOLVE` env var to force IPv4 or IPv6, set it to `4` or `6` ([#11791](https://togithub.com/composer/composer/issues/11791)) - Added support for wildcards in `outdated`'s --ignore arg ([#11831](https://togithub.com/composer/composer/issues/11831)) - Added support for `bump` command bumping `*` to `>=current version` ([#11694](https://togithub.com/composer/composer/issues/11694)) - Added detection of constraints that cannot possibly match anything to `validate` command ([#11829](https://togithub.com/composer/composer/issues/11829)) - Added package source information to the output of `install` when running in very verbose (-vv) mode ([#11763](https://togithub.com/composer/composer/issues/11763)) - Added audit of Composer's own bundled dependencies in `diagnose` command ([#11761](https://togithub.com/composer/composer/issues/11761)) - Added GitHub token expiration date to `diagnose` command output ([#11688](https://togithub.com/composer/composer/issues/11688)) - Added non-zero status code to why/why-not commands ([#11796](https://togithub.com/composer/composer/issues/11796)) - Added error when calling `show --directConfiguration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Read more about the use of Renovate Bot within
ocramius/*projects.