A serious security vulnerability existed in the PHP Composer package. Exploiting this bug could allow an attacker to conduct code execution attacks. Whereas, a massive exploitation attempt may even result in devastating supply-chain attacks.
PHP Composer Vulnerability
Composer package is notable for managing software dependencies in the PHP ecosystem. Due to its widespread use, any security flaw in this package may have devastating attacks.
One such vulnerability in PHP Composer caught the attention of researchers at SonarSource.
Specifically, they found a code execution vulnerability on the Packagist.org server that existed due to improper URL sanitization. Hence, exploiting this flaw with a maliciously crafted URL would allow an adversary to steal the package maintainers’ credentials, or reroute package downloads to external malicious servers.
As described in the vulnerability description for this flaw, CVE-2021-29472,
URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution.
SonarSource has shared the full technical details of this vulnerability in their blog post.
Patch Released
After discovering this bug, the researchers reached out to Composer maintainers at Packagist to report the bug.
Consequently, the maintainers quickly deployed a hotfix the same day, followed by a thorough patch after few days.
Presently, Packagist has confirmed Composer 1.10.22 and 2.0.13 as the patched versions available on GitHub.
While users may update to the patched versions, Packagist also recommends adding URL validation for enhanced security.