vulnerability
FreeBSD: VID-5f608c68-276c-11ef-8caa-0897988a1c07 (CVE-2024-35242): Composer -- Multiple command injections via malicious git/hg branch names
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Jun 10, 2024 | Jun 11, 2024 | Mar 25, 2026 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
Jun 10, 2024
Added
Jun 11, 2024
Modified
Mar 25, 2026
Description
Composer project reports: The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
Solutions
freebsd-upgrade-package-php81-composerfreebsd-upgrade-package-php82-composerfreebsd-upgrade-package-php83-composer
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.