The `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

### Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

### Workarounds

Avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

Affected Packages

Packagist composer/composer

Affected versions: 2.0 (fixed in 2.2.24)

Packagist composer/composer

Affected versions: 2.3 (fixed in 2.7.7)

Related CVEs

CVE-2024-35241

Key Information

GHSA ID

GHSA-47f6-5gq3-vx9c

Published

June 10, 2024 9:36 PM

Last Modified

April 23, 2025 2:38 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

composer/composer

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 3, 2025 6:48 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.