Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack

Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.

Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.

Packagist is the default repository for PHP dependency manager Composer, aggregating public PHP packages that can be installed using Composer. Each month, Composer is used to download more than 2 billion packages.

According to Sonar’s security researchers, the recently identified vulnerability could have been used to hijack over 100 million requests to distribute malicious dependencies, leading to the potential compromise of millions of servers.

“Since Composer is the standard package manager for PHP, most open-source and commercial PHP projects would have been impacted,” Sonar says.

Tracked as CVE-2022-24828, the vulnerability is described as a command injection issue that could allow an attacker to control input that is interpreted as parameters for commands executed by Composer.

“The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used,” Composer’s maintainers explain.

The flaw was similar to CVE-2021-29472, a command injection bug identified last year, impacting the implementation of Version Control System driver (VcsDriver) sub-classes, which Composer invokes as external commands.

Because of this vulnerability, a user controlling a Git or Mercurial repository could target and Private Packagist by injecting parameters into the $file argument (impacting the Mercurial driver) or the $identifier argument (with impact on both Git and Mercurial drivers).

“Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project’s composer.json,” Composer’s maintainers note.

According to Sonar, an attacker looking to exploit the vulnerability would need to create a project in a remote Mercurial repository, add a manifest to composer.json and create a malicious ‘readme’ entry, create a .sh payload to perform a desired action, and then import the package to Packagist.

“The next step would be to modify the definition of a package to point to an unintended destination and compromise the application in which they are used,” Sonar explains.

The vulnerability was reported to the Packagist maintainers on April 7 and a hotpatch was released the next day. The issue was addressed with the release of Composer versions 2.3.5, 2.2.12, and 1.10.26, and no evidence of in-the-wild exploitation was found.

Related: Critical Vulnerability Patched in PHP Package Repository

Related: New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.