Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack

Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.

Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.

Packagist is the default repository for PHP dependency manager Composer, aggregating public PHP packages that can be installed using Composer. Each month, Composer is used to download more than 2 billion packages.

According to Sonar’s security researchers, the recently identified vulnerability could have been used to hijack over 100 million requests to distribute malicious dependencies, leading to the potential compromise of millions of servers.

“Since Composer is the standard package manager for PHP, most open-source and commercial PHP projects would have been impacted,” Sonar says.

Tracked as CVE-2022-24828, the vulnerability is described as a command injection issue that could allow an attacker to control input that is interpreted as parameters for commands executed by Composer.

“The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used,” Composer’s maintainers explain.

The flaw was similar to CVE-2021-29472, a command injection bug identified last year, impacting the implementation of Version Control System driver (VcsDriver) sub-classes, which Composer invokes as external commands.

Because of this vulnerability, a user controlling a Git or Mercurial repository could target and Private Packagist by injecting parameters into the $file argument (impacting the Mercurial driver) or the $identifier argument (with impact on both Git and Mercurial drivers).

“Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project’s composer.json,” Composer’s maintainers note.

According to Sonar, an attacker looking to exploit the vulnerability would need to create a project in a remote Mercurial repository, add a manifest to composer.json and create a malicious ‘readme’ entry, create a .sh payload to perform a desired action, and then import the package to Packagist.

“The next step would be to modify the definition of a package to point to an unintended destination and compromise the application in which they are used,” Sonar explains.

The vulnerability was reported to the Packagist maintainers on April 7 and a hotpatch was released the next day. The issue was addressed with the release of Composer versions 2.3.5, 2.2.12, and 1.10.26, and no evidence of in-the-wild exploitation was found.

Related: Critical Vulnerability Patched in PHP Package Repository

Related: New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...