VYPR
← All advisories
High severity8.8NVD Advisory· Published Jun 10, 2024· Updated Apr 15, 2026

CVE-2024-35242

CVE-2024-35242

Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
composer/composerPackagist
>= 2.0, < 2.2.242.2.24
composer/composerPackagist
>= 2.3, < 2.7.72.7.7

Patches

2
6bd43dff859c

Merge pull request from GHSA-v9qv-c7wm-wgmf

https://github.com/composer/composerJordi BoggianoJun 10, 2024via ghsa
commit
2 files changed · +11 10
  • src/Composer/Package/Version/VersionGuesser.php+8 7 modified
    @@ -173,7 +173,7 @@ private function guessGitVersion(array $packageConfig, string $path): array
                 $featurePrettyVersion = $prettyVersion;
 
                 // try to find the best (nearest) version branch to assume this feature's version
-                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list %candidate%..%branch%', $path);
+                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['git', 'rev-list', '%candidate%..%branch%'], $path);
                 $version = $result['version'];
                 $prettyVersion = $result['pretty_version'];
             }
@@ -248,7 +248,7 @@ private function guessHgVersion(array $packageConfig, string $path): ?array
             $branches = array_map('strval', array_keys($driver->getBranches()));
 
             // try to find the best (nearest) version branch to assume this feature's version
-            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'hg log -r "not ancestors(\'%candidate%\') and ancestors(\'%branch%\')" --template "{node}\\n"', $path);
+            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['hg', 'log', '-r', 'not ancestors(\'%candidate%\') and ancestors(\'%branch%\')', '--template', '"{node}\\n"'], $path);
             $result['commit'] = '';
             $result['feature_version'] = $version;
             $result['feature_pretty_version'] = $version;
@@ -261,13 +261,12 @@ private function guessHgVersion(array $packageConfig, string $path): ?array
 
     /**
      * @param array<string, mixed>     $packageConfig
-     * @param string[]                 $branches
-     *
-     * @phpstan-param non-empty-string $scmCmdline
+     * @param list<string>             $branches
+     * @param list<string>             $scmCmdline
      *
      * @return array{version: string|null, pretty_version: string|null}
      */
-    private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, string $scmCmdline, string $path): array
+    private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, array $scmCmdline, string $path): array
     {
         $prettyVersion = $version;
 
@@ -309,7 +308,9 @@ private function guessFeatureVersion(array $packageConfig, ?string $version, arr
                         continue;
                     }
 
-                    $cmdLine = str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $scmCmdline);
+                    $cmdLine = array_map(static function (string $component) use ($candidate, $branch) {
+                        return str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $component);
+                    }, $scmCmdline);
                     $promises[] = $this->process->executeAsync($cmdLine, $path)->then(function (Process $process) use (&$length, &$version, &$prettyVersion, $candidateVersion, &$promises): void {
                         if (!$process->isSuccessful()) {
                             return;
  • tests/Composer/Test/Package/Version/VersionGuesserTest.php+3 3 modified
    @@ -117,7 +117,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF
                 'stdout' => "  arbitrary $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
             ],
             [
-                'cmd' => 'git rev-list arbitrary..feature',
+                'cmd' => ['git', 'rev-list', 'arbitrary..feature'],
                 'stdout' => "$anotherCommitHash\n",
             ],
         ], true);
@@ -147,7 +147,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF
                 'stdout' => "  latest-testing $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
             ],
             [
-                'cmd' => 'git rev-list latest-testing..feature',
+                'cmd' => ['git', 'rev-list', 'latest-testing..feature'],
                 'stdout' => "$anotherCommitHash\n",
             ],
         ], true);
@@ -352,7 +352,7 @@ public function testRemoteBranchesAreSelected(): void
                         "remotes/origin/1.5 03a15d220da53c52eddd5f32ffca64a7b3801bea Commit message\n",
             ],
             [
-                'cmd' => 'git rev-list remotes/origin/1.5..feature-branch',
+                'cmd' => ['git', 'rev-list', 'remotes/origin/1.5..feature-branch'],
                 'stdout' => "\n",
             ],
         ], true);
fc57b93603d7

Merge pull request from GHSA-v9qv-c7wm-wgmf

https://github.com/composer/composerJordi BoggianoJun 10, 2024via ghsa
commit
2 files changed · +8 7
  • src/Composer/Package/Version/VersionGuesser.php+5 4 modified
    @@ -176,7 +176,7 @@ private function guessGitVersion(array $packageConfig, $path)
                 $featurePrettyVersion = $prettyVersion;
 
                 // try to find the best (nearest) version branch to assume this feature's version
-                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list %candidate%..%branch%', $path);
+                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list -- %candidate%..%branch%', $path, '%candidate%..%branch%');
                 $version = $result['version'];
                 $prettyVersion = $result['pretty_version'];
             }
@@ -254,7 +254,7 @@ private function guessHgVersion(array $packageConfig, $path)
             $branches = array_map('strval', array_keys($driver->getBranches()));
 
             // try to find the best (nearest) version branch to assume this feature's version
-            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'hg log -r "not ancestors(\'%candidate%\') and ancestors(\'%branch%\')" --template "{node}\\n"', $path);
+            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'hg log -r "not ancestors(\'%candidate%\') and ancestors(\'%branch%\')" --template "{node}\\n"', $path, '"not ancestors(\'%candidate%\') and ancestors(\'%branch%\')"');
             $result['commit'] = '';
             $result['feature_version'] = $version;
             $result['feature_pretty_version'] = $version;
@@ -271,12 +271,13 @@ private function guessHgVersion(array $packageConfig, $path)
      * @param string[]                 $branches
      * @param string                   $scmCmdline
      * @param string                   $path
+     * @param string                   $arg
      *
      * @phpstan-param non-empty-string $scmCmdline
      *
      * @return array{version: string|null, pretty_version: string|null}
      */
-    private function guessFeatureVersion(array $packageConfig, $version, array $branches, $scmCmdline, $path)
+    private function guessFeatureVersion(array $packageConfig, $version, array $branches, $scmCmdline, $path, $arg)
     {
         $prettyVersion = $version;
 
@@ -315,7 +316,7 @@ private function guessFeatureVersion(array $packageConfig, $version, array $bran
                     continue;
                 }
 
-                $cmdLine = str_replace(array('%candidate%', '%branch%'), array($candidate, $branch), $scmCmdline);
+                $cmdLine = str_replace($arg, str_replace(array('%candidate%', '%branch%'), array($candidate, $branch), $arg), $scmCmdline);
                 if (0 !== $this->process->execute($cmdLine, $output, $path)) {
                     continue;
                 }
  • tests/Composer/Test/Package/Version/VersionGuesserTest.php+3 3 modified
    @@ -121,7 +121,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF
                 'stdout' => "  arbitrary $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
             ),
             array(
-                'cmd' => 'git rev-list arbitrary..feature',
+                'cmd' => 'git rev-list -- arbitrary..feature',
                 'stdout' => "$anotherCommitHash\n",
             ),
         ), true);
@@ -151,7 +151,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF
                 'stdout' => "  latest-testing $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
             ),
             array(
-                'cmd' => 'git rev-list latest-testing..feature',
+                'cmd' => 'git rev-list -- latest-testing..feature',
                 'stdout' => "$anotherCommitHash\n",
             ),
         ), true);
@@ -364,7 +364,7 @@ public function testRemoteBranchesAreSelected()
                         "remotes/origin/1.5 03a15d220da53c52eddd5f32ffca64a7b3801bea Commit message\n",
             ),
             array(
-                'cmd' => 'git rev-list remotes/origin/1.5..feature-branch',
+                'cmd' => 'git rev-list -- remotes/origin/1.5..feature-branch',
                 'stdout' => "\n",
             ),
         ), true);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.