Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.
The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below –
In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory.
The vulnerabilities affect the following versions –
If immediate patching is not an option, it’s advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It’s also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the “–prefer-dist” or the “preferred-install: dist” configuration setting.
Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information. A new release is expected to be shipped for Private Packagist Self-Hosted customers.
“As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026,” it said. “Composer installations should be updated immediately regardless.”
Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities.
Learn how to validate automated pentesting results for accurate security decisions.
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.
Leave a Reply