Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-v9qv-c7wm-wgmf

GitHub Security Advisory

Composer has multiple command injections via malicious git/hg branch names

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

The `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

### Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

### Workarounds

Avoid cloning potentially compromised repositories.

Affected Packages

Packagist composer/composer
Affected versions: 2.0 (fixed in 2.2.24)
Packagist composer/composer
Affected versions: 2.3 (fixed in 2.7.7)

Related CVEs

CVE-2024-35242

Key Information

GHSA ID
GHSA-v9qv-c7wm-wgmf
Published
June 10, 2024 9:36 PM
Last Modified
February 13, 2025 6:50 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
composer/composer
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 3, 2025 6:48 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.