VYPR
High severityNVD Advisory· Published Sep 29, 2023· Updated Jun 18, 2025

Remote Code Execution via web-accessible composer.phar

CVE-2023-43655

Description

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has register_argc_argv enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
composer/composerPackagist
< 1.10.271.10.27
composer/composerPackagist
>= 2.0.0, < 2.2.222.2.22
composer/composerPackagist
>= 2.3.0, < 2.6.42.6.4

Affected products

8

Patches

Vulnerability mechanics

References

13

News mentions

0

No linked articles in our index yet.