New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
تنبيه أمني: ثغرات جديدة فـ PHP Composer كتمكن من تنفيذ أوامر عشوائية (Arbitrary Command Execution)
Security Alert: New PHP Composer Flaws Enable Arbitrary Command Execution
TL;DR: Two high-severity vulnerabilities (CVE-2026-40176 and CVE-2026-40261) have been discovered in PHP’s package manager, Composer. These flaws allow for arbitrary command execution via malicious Perforce VCS configurations. Patches have been released, and users are urged to update to versions 2.9.6 or 2.2.27 immediately.
The PHP ecosystem is facing a significant security update following the disclosure of two high-severity vulnerabilities in Composer, the de facto package manager for PHP developers. These flaws, if exploited, could allow an attacker to achieve arbitrary command execution on a user's system.
According to security advisories, the issues reside within how Composer handles the Perforce Version Control Software (VCS) driver. Notably, the threat persists even if the user does not have Perforce installed on their machine.
Understanding the Vulnerabilities
Both vulnerabilities are categorized as command injection flaws resulting from improper input validation.
CVE-2026-40176 (CVSS Score: 7.8)
This vulnerability involves improper input validation in repository configurations. If an attacker can control a composer.json file—specifically by declaring a malicious Perforce VCS repository—they can inject arbitrary commands. These commands are executed with the same privileges as the user running the Composer process.
CVE-2026-40261 (CVSS Score: 8.8)
Considered more critical due to its higher CVSS score, this flaw stems from inadequate escaping of shell metacharacters. An attacker can craft a source reference containing these metacharacters to trigger command execution.
Impacted Versions
The vulnerabilities affect two main release branches of Composer:
- Version 2.3 through 2.9.5: Fixed in version 2.9.6
- Version 2.0 through 2.2.26: Fixed in version 2.2.27
Packagist.org Response and Status
In response to the discovery, Composer maintainers conducted a scan of Packagist.org (the primary public repository for PHP packages). Fortunately, no evidence was found of threat actors exploiting these vulnerabilities to publish malicious packages.
As a proactive measure, the publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026. Additionally, a separate update is being prepared for Private Packagist Self-Hosted customers.
Remediation and Mitigation Steps
The primary recommendation is to update Composer immediately to version 2.9.6 or 2.2.27.
If immediate patching is not possible, organizations should implement the following defensive measures:
- Manual Inspection: Carefully audit
composer.jsonfiles before execution, specifically verifying that any Perforce-related fields contain valid, non-malicious values. - Trusted Sources Only: Only run Composer commands on projects from trusted sources and use reputable repositories.
- Configuration Tweak: Avoid using the
--prefer-distflag or the"preferred-install: dist"configuration setting until the software is patched.
The maintainers emphasize that despite the safeguards on Packagist.org, local Composer installations remain vulnerable until the software is updated.
Source: The Hacker News - New PHP Composer Flaws Enable Arbitrary Command Execution
