Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.

### Patches

2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.

### Workarounds

Make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

Affected Packages

Packagist composer/composer

Affected versions: 0 (fixed in 1.10.27)

Packagist composer/composer

Affected versions: 2.0.0 (fixed in 2.2.22)

Packagist composer/composer

Affected versions: 2.3.0 (fixed in 2.6.4)

Related CVEs

CVE-2023-43655

Key Information

GHSA ID

GHSA-jm6m-4632-36hf

Published

September 29, 2023 8:39 PM

Last Modified

February 13, 2025 7:15 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

composer/composer

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 5, 2025 6:46 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.