PHP Composer vulnerabilities allow arbitrary command execution

As reported by Security Affairs, two critical vulnerabilities have been identified in PHP Composer, a widely used dependency manager for PHP projects. These flaws could allow attackers to execute arbitrary commands on a user's system through malicious repository configurations and crafted inputs, particularly impacting the Perforce version control system driver.

The vulnerabilities, CVE-2026-40176 (CVSS 7.8) and CVE-2026-40261 (CVSS 8.8), stem from improper input validation and insufficient escaping within Composer's Perforce VCS driver. Attackers can exploit these by creating a malicious composer.json file or a crafted source reference containing shell metacharacters. CVE-2026-40176 specifically targets the generateP4Command() method, allowing injection via user-controlled connection parameters in untrusted root projects. CVE-2026-40261 affects the syncCodeBase() method, enabling command injection through unescaped source references in compromised repositories, even without Perforce installed. Composer versions 2.9.6 and 2.2.27 (LTS) have been released to address these issues.

Developers are urged to update Composer immediately to the latest versions. Mitigation strategies include avoiding installation from source by using --prefer-dist and verifying the trustworthiness of all repositories. While no exploitation attempts have been detected, the disabling of Perforce metadata publishing and the Perforce VCS driver serves as a precautionary measure.

Source: Security Affairs