CVE-2022-24828 Overview
CVE-2022-24828 is a command injection vulnerability in Composer, a widely-used dependency manager for the PHP programming language. The vulnerability exists in the VcsDriver::getFileContent method, where integrators using Composer code can experience code injection if user-controlled input is passed to the $file or $identifier arguments. This vulnerability was demonstrated on packagist.org where the composer.json's readme field could be used as a vector for injecting parameters into hg/Mercurial via the $file argument, or into git via the $identifier argument when arbitrary data is permitted.
Critical Impact
Attackers could inject malicious parameters into git and Mercurial commands executed by Composer, potentially leading to arbitrary command execution on systems running vulnerable versions.
Affected Products
- Getcomposer Composer (multiple versions)
- Tenable Tenable.sc
- Fedora 34, 35, and 36
Discovery Timeline
- 2022-04-13 - CVE-2022-24828 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24828
Vulnerability Analysis
This vulnerability is classified under CWE-20 (Improper Input Validation) and CWE-88 (Improper Neutralization of Argument Delimiters in a Command). The core issue stems from insufficient validation of user-supplied input passed to the getFileContent method in both the GitDriver and HgDriver classes.
When processing version control operations, Composer constructs shell commands using the $identifier and $file parameters. Without proper validation, an attacker could craft malicious input starting with a hyphen character (-), which would be interpreted as command-line arguments rather than data, allowing injection of arbitrary parameters into git or Mercurial commands.
The attack is network-based and requires user interaction, such as a developer installing a malicious package or an integrator processing untrusted repository data. The vulnerability affects confidentiality, integrity, and availability, as successful exploitation could lead to arbitrary command execution with the privileges of the Composer process.
Root Cause
The root cause is improper input validation in the VcsDriver::getFileContent method. The $identifier and $file parameters were passed to shell commands without checking whether they begin with a hyphen character. In Unix command-line conventions, arguments starting with - are interpreted as option flags, allowing attackers to inject additional command-line parameters that alter the behavior of git or Mercurial executables.
Attack Vector
The attack vector involves an attacker controlling input to the getFileContent method through repositories hosted on package registries. On packagist.org, the composer.json's readme field could be manipulated to inject parameters. The attacker would craft a malicious $identifier or $file value beginning with a hyphen, causing the underlying git or Mercurial command to interpret subsequent characters as command-line options rather than data arguments.
// Security patch in src/Composer/Repository/Vcs/GitDriver.php
// Source: https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
*/
public function getFileContent($file, $identifier)
{
+ if (isset($identifier[0]) && $identifier[0] === '-') {
+ throw new \RuntimeException('Invalid git identifier detected. Identifier must not start with a -, given: ' . $identifier);
+ }
+
$resource = sprintf('%s:%s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
$this->process->execute(sprintf('git show %s', $resource), $content, $this->repoDir);
// Security patch in src/Composer/Repository/Vcs/HgDriver.php
// Source: https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
*/
public function getFileContent($file, $identifier)
{
- $resource = sprintf('hg cat -r %s %s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
+ if (isset($identifier[0]) && $identifier[0] === '-') {
+ throw new \RuntimeException('Invalid hg identifier detected. Identifier must not start with a -, given: ' . $identifier);
+ }
+
+ $resource = sprintf('hg cat -r %s -- %s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
$this->process->execute($resource, $content, $this->repoDir);
if (!trim($content)) {
Detection Methods for CVE-2022-24828
Indicators of Compromise
- Unusual git or Mercurial command executions with unexpected command-line arguments
- Error logs showing RuntimeException messages about invalid git/hg identifiers starting with -
- Anomalous activity in Composer process logs related to VCS operations
- Unexpected subprocess spawning from PHP/Composer processes
Detection Strategies
- Monitor process execution for git and hg commands containing suspicious parameter patterns
- Implement application-level logging for VcsDriver::getFileContent calls to detect exploitation attempts
- Review Composer dependency installation logs for packages with malformed identifiers
- Deploy runtime application self-protection (RASP) to detect command injection attempts
Monitoring Recommendations
- Enable verbose logging for Composer operations in CI/CD pipelines
- Monitor for unexpected shell command executions originating from PHP processes
- Implement file integrity monitoring on Composer installation directories
- Set up alerts for failed Composer operations with exception messages referencing invalid identifiers
How to Mitigate CVE-2022-24828
Immediate Actions Required
- Update Composer to the latest patched version immediately
- Audit any custom integrations using VcsDriver::getFileContent for proper input validation
- Review recently installed packages for potential compromise
- Implement network-level monitoring for suspicious VCS traffic from build systems
Patch Information
The vulnerability has been addressed in the official Composer repository. The security fix adds validation to reject identifiers starting with a hyphen character and uses the -- argument separator in Mercurial commands to prevent parameter injection. The patch is available in commit 2c40c53637c5c7e43fff7c09d3d324d632734709. Additionally, Tenable has released Tenable Security Advisory TNS-2022-09 addressing this vulnerability in Tenable.sc. Fedora users should apply updates through the standard package management system for Fedora 34, 35, and 36. For more details, see the GitHub Security Advisory.
Workarounds
- Restrict network access to package registries from production systems
- Implement strict input validation for any custom code calling VcsDriver::getFileContent
- Use a private Packagist mirror with vetted packages only
- Consider running Composer operations in isolated container environments
# Update Composer to the latest patched version
composer self-update
# Verify Composer version after update
composer --version
# Clear Composer cache to remove potentially compromised data
composer clear-cache
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
