CVE-2024-24821 Overview
CVE-2024-24821 is a high-severity local code execution vulnerability in Composer, the widely-used dependency manager for PHP. The vulnerability allows arbitrary code execution through the inclusion of tampered files within the local working directory during Composer invocation. When Composer CLI commands are executed, several files from the project's vendor directory are loaded in the context of the executing user, enabling potential privilege escalation, lateral movement, or malicious code execution.
Critical Impact
This vulnerability affects all Composer CLI commands including composer.phar's self-update mechanism. Attackers who can modify files in the vendor/composer/ directory can achieve code execution with the privileges of the user running Composer, potentially leading to root privilege escalation when Composer is run with sudo.
Affected Products
- Composer versions prior to 2.7.0
- Composer versions prior to 2.2.23 (LTS branch)
- All Composer CLI commands including self-update functionality
Discovery Timeline
- 2024-02-09 - CVE-2024-24821 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-24821
Vulnerability Analysis
The vulnerability stems from Composer's automatic inclusion of files from the local working directory during execution. Specifically, the files vendor/composer/InstalledVersions.php and vendor/composer/installed.php are loaded and executed when any Composer command runs. This behavior is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), where the application includes executable code from a source that may be outside the intended control sphere.
The attack requires local access to modify files within the project directory. Once malicious code is injected into the vulnerable files, it executes with the same privileges as the user running Composer. This is particularly dangerous in scenarios where Composer is executed with elevated privileges using sudo, potentially leading to full system compromise.
Root Cause
The root cause is the unconditional loading of PHP files from the vendor/composer/ directory without proper validation of their contents or origin. The Composer runtime trusts these files implicitly, assuming they contain legitimate package metadata generated by Composer itself. This trust assumption can be violated in shared environments or when working with untrusted project sources.
The security patch addresses this by introducing additional validation through the FilesystemRepository class, implementing proper checks using the Composer\Pcre\Preg module to sanitize and validate file contents before inclusion.
Attack Vector
The attack requires local access (AV:L) with low privileges (PR:L) and no user interaction (UI:N). High-risk scenarios include:
- Sudo Execution: Running Composer with sudo privileges allows attackers to escalate to root
- CI/CD Pipelines: Automated pipelines executing Composer on untrusted projects may execute malicious code
- Shared Development Environments: Multiple developers sharing the same project directory can exploit each other's Composer executions
// Security patch excerpt from src/Composer/Factory.php
// Adding FilesystemRepository for secure file handling
use Composer\Package\Archiver;
use Composer\Package\Version\VersionGuesser;
use Composer\Package\RootPackageInterface;
+use Composer\Repository\FilesystemRepository;
use Composer\Repository\RepositoryManager;
use Composer\Repository\RepositoryFactory;
use Composer\Util\Filesystem;
Source: GitHub Commit 64e4eb3
// Security patch excerpt from src/Composer/Repository/FilesystemRepository.php
// Adding Preg module for input validation
use Composer\Package\AliasPackage;
use Composer\Package\Dumper\ArrayDumper;
use Composer\Installer\InstallationManager;
+use Composer\Pcre\Preg;
use Composer\Util\Filesystem;
use Composer\Util\Platform;
Source: GitHub Commit 64e4eb3
Detection Methods for CVE-2024-24821
Indicators of Compromise
- Unexpected modifications to vendor/composer/InstalledVersions.php or vendor/composer/installed.php files
- PHP files in the vendor/composer directory containing suspicious code patterns such as eval(), exec(), system(), or base64-encoded strings
- Unusual process spawning from PHP processes executing Composer commands
- File integrity changes in the vendor directory not associated with legitimate dependency updates
Detection Strategies
- Implement file integrity monitoring (FIM) on vendor/composer/InstalledVersions.php and vendor/composer/installed.php files
- Monitor for Composer processes spawning unexpected child processes or network connections
- Audit sudo command logs for Composer executions with elevated privileges
- Review CI/CD pipeline logs for Composer commands executed on untrusted or external repositories
Monitoring Recommendations
- Configure security monitoring to alert on any changes to files in the vendor/composer/ directory outside of normal dependency update operations
- Monitor for PHP file modifications in project directories by users other than the project owner
- Implement process behavior analysis to detect anomalous activity following Composer command execution
- Enable audit logging for all sudo command executions to track privileged Composer usage
How to Mitigate CVE-2024-24821
Immediate Actions Required
- Upgrade Composer to version 2.7.0 or later (or 2.2.23 for the LTS branch) immediately
- Remove all sudo privileges for Composer commands across all users to mitigate root privilege escalation risk
- Audit existing Composer installations and verify the integrity of vendor/composer/InstalledVersions.php and vendor/composer/installed.php files
- Avoid running Composer within untrusted directories or on projects from unknown sources
Patch Information
The vulnerability has been addressed in Composer versions 2.7.0 and 2.2.23. The security patch introduces proper file validation through the FilesystemRepository class and implements content sanitization using the Composer\Pcre\Preg module. Organizations should apply the patched versions at the earliest convenience. For technical details, refer to the GitHub Security Advisory GHSA-7c6p-848j-wh5h and the official patch commit.
Workarounds
- Remove sudo Composer privileges for all users to prevent root privilege escalation
- Verify contents of vendor/composer/InstalledVersions.php and vendor/composer/installed.php do not include untrusted code before running Composer
- Reset potentially compromised files by removing and regenerating them using the commands below
- Implement strict access controls on project directories in shared development environments
- Review and sanitize all project files before running Composer on externally sourced code
# Reset potentially compromised vendor files
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
