CVE-2024-35241
Description
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
composer/composerPackagist | >= 2.0, < 2.2.24 | 2.2.24 |
composer/composerPackagist | >= 2.3, < 2.7.7 | 2.7.7 |
Patches
2b93fc6ca437dMerge pull request from GHSA-47f6-5gq3-vx9c
1 file changed · +1 −1
src/Composer/Downloader/GitDownloader.php+1 −1 modified@@ -290,7 +290,7 @@ public function getUnpushedChanges(PackageInterface $package, $path) $unpushedChanges = null; } foreach ($remoteBranches as $remoteBranch) { - $command = sprintf('git diff --name-status %s...%s --', $remoteBranch, $branch); + $command = sprintf('git diff --name-status %s --', ProcessExecutor::escape($remoteBranch.'...'.$branch)); if (0 !== $this->process->execute($command, $output, $path)) { throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput()); }
ee28354ca8d3Merge pull request from GHSA-47f6-5gq3-vx9c
1 file changed · +2 −2
src/Composer/Downloader/GitDownloader.php+2 −2 modified@@ -294,9 +294,9 @@ public function getUnpushedChanges(PackageInterface $package, string $path): ?st $unpushedChanges = null; } foreach ($remoteBranches as $remoteBranch) { - $command = sprintf('git diff --name-status %s...%s --', $remoteBranch, $branch); + $command = ['git', 'diff', '--name-status', $remoteBranch.'...'.$branch, '--']; if (0 !== $this->process->execute($command, $output, $path)) { - throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput()); + throw new \RuntimeException('Failed to execute ' . implode(' ', $command) . "\n\n" . $this->process->getErrorOutput()); } $output = trim($output);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-47f6-5gq3-vx9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-35241ghsaADVISORY
- github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4nvdWEB
- github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704nvdWEB
- github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9cnvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MCghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHCghsaWEB
- www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerabilitynvdWEB
- www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composernvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/nvd
News mentions
0No linked articles in our index yet.