HIGH · CVSS 7.3Disclosed 2024-12-28

CVE-2024-56204 — Composer cache-poisoning RCE

A cache-poisoning vulnerability in Composer (PHP dependency manager) could let a malicious package poison a victim's cache, resulting in RCE on subsequent installs.

Affects

Composer 2.x < 2.8.4

What an attacker does

An attacker publishes a malicious package version. When a victim installs any package that shares metadata paths, the poisoned metadata compromises Composer's cache. Subsequent installs execute attacker code.

How to detect

`composer --version` on dev + CI.

How to fix

Upgrade Composer to 2.8.4+.

How Securie catches it

Securie's PHP scanner flags Composer versions.

References

Composer advisory