Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack

Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.

Packagist is the default repository for PHP dependency manager Composer, aggregating public PHP packages that can be installed using Composer. Each month, Composer is used to download more than 2 billion packages.

According to Sonar’s security researchers, the recently identified vulnerability could have been used to hijack over 100 million requests to distribute malicious dependencies, leading to the potential compromise of millions of servers.

“Since Composer is the standard package manager for PHP, most open-source and commercial PHP projects would have been impacted,” Sonar says.

Tracked as CVE-2022-24828, the vulnerability is described as a command injection issue that could allow an attacker to control input that is interpreted as parameters for commands executed by Composer.

“The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used,” Composer’s maintainers explain.

The flaw was similar to CVE-2021-29472, a command injection bug identified last year, impacting the implementation of Version Control System driver (VcsDriver) sub-classes, which Composer invokes as external commands.

Because of this vulnerability, a user controlling a Git or Mercurial repository could target Packagist.org and Private Packagist by injecting parameters into the $file argument (impacting the Mercurial driver) or the $identifier argument (with impact on both Git and Mercurial drivers).

“Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project’s composer.json,” Composer’s maintainers note.

According to Sonar, an attacker looking to exploit the vulnerability would need to create a project in a remote Mercurial repository, add a manifest to composer.json and create a malicious ‘readme’ entry, create a .sh payload to perform a desired action, and then import the package to Packagist.

“The next step would be to modify the definition of a package to point to an unintended destination and compromise the application in which they are used,” Sonar explains.

The vulnerability was reported to the Packagist maintainers on April 7 and a hotpatch was released the next day. The issue was addressed with the release of Composer versions 2.3.5, 2.2.12, and 1.10.26, and no evidence of in-the-wild exploitation was found.

Related: Critical Vulnerability Patched in PHP Package Repository

Related: New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix