{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/composer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["composer","command-injection","php"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eComposer, a dependency manager for PHP, is susceptible to a command injection vulnerability (CVE-2026-40176) in versions 2.0.0 before 2.2.27 and versions 2.3.0 before 2.9.6. The vulnerability resides in the \u003ccode\u003ePerforce::generateP4Command()\u003c/code\u003e method, which improperly escapes user-supplied Perforce connection parameters (port, user, client) when constructing shell commands. This allows an attacker who controls a repository configuration, specifically within a malicious \u003ccode\u003ecomposer.json\u003c/code\u003e file declaring a Perforce VCS repository, to inject arbitrary commands. The injected commands are executed in the context of the user running Composer, even if Perforce is not installed. This vulnerability can be exploited if Composer is run on untrusted projects with attacker-supplied \u003ccode\u003ecomposer.json\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003ecomposer.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003ecomposer.json\u003c/code\u003e declares a Perforce VCS repository.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecomposer.json\u003c/code\u003e contains injected commands within the Perforce connection parameters (port, user, client).\u003c/li\u003e\n\u003cli\u003eA user unknowingly executes a Composer command (e.g., \u003ccode\u003ecomposer install\u003c/code\u003e) in a directory containing the malicious \u003ccode\u003ecomposer.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eComposer parses the \u003ccode\u003ecomposer.json\u003c/code\u003e and calls the \u003ccode\u003ePerforce::generateP4Command()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePerforce::generateP4Command()\u003c/code\u003e method constructs a shell command using the attacker-controlled, unescaped Perforce connection parameters.\u003c/li\u003e\n\u003cli\u003eComposer executes the injected command via \u003ccode\u003eproc_open\u003c/code\u003e or similar functions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution in the context of the user running Composer, potentially leading to sensitive information disclosure, system compromise, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary commands on the victim\u0026rsquo;s system with the privileges of the user running Composer. This can lead to complete system compromise, data exfiltration, or denial of service. While the number of victims is currently unknown, any system running a vulnerable version of Composer and processing untrusted \u003ccode\u003ecomposer.json\u003c/code\u003e files is at risk. The primary attack vector involves tricking developers into running Composer on projects containing malicious \u003ccode\u003ecomposer.json\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Composer to version 2.2.27 or 2.9.6 or later to patch CVE-2026-40176.\u003c/li\u003e\n\u003cli\u003eCarefully inspect \u003ccode\u003ecomposer.json\u003c/code\u003e files from untrusted sources before running Composer to verify Perforce-related fields contain valid values.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect command execution with suspicious arguments when composer executes and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-composer-command-injection/","summary":"Composer is vulnerable to command injection via a malicious Perforce repository due to improper escaping of user-supplied Perforce connection parameters, potentially leading to arbitrary command execution in the context of the user running Composer.","title":"Composer Command Injection via Malicious Perforce Repository","url":"https://feed.craftedsignal.io/briefs/2026-04-composer-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Composer","version":"https://jsonfeed.org/version/1.1"}