CVE-2024-35241 Overview
CVE-2024-35241 is a command injection vulnerability affecting Composer, the widely-used dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall, and remove commands can be exploited when packages are installed from source via git containing specially crafted branch names in the repository. This allows attackers to execute arbitrary code on systems running vulnerable versions of Composer.
Critical Impact
Attackers can achieve arbitrary code execution by crafting malicious git branch names that are processed unsafely by Composer commands, potentially compromising development environments and CI/CD pipelines.
Affected Products
- Composer 2.x versions prior to 2.2.24 (2.2 LTS branch)
- Composer 2.x versions prior to 2.7.7 (mainline branch)
- Systems using git-based package installation with Composer
Discovery Timeline
- 2024-06-10 - CVE-2024-35241 published to NVD
- 2025-04-21 - Last updated in NVD database
Technical Details for CVE-2024-35241
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Command Injection), where user-controllable input is improperly sanitized before being passed to a system command. The attack requires user interaction, as a developer must execute specific Composer commands (status, reinstall, or remove) on packages that were installed from a malicious git repository.
The vulnerability poses significant risk to PHP development environments where dependencies are managed via git sources rather than packaged distributions. The impact extends to confidentiality, integrity, and availability, as successful exploitation allows complete control over the affected system within the context of the user running Composer.
Root Cause
The root cause of CVE-2024-35241 lies in insufficient input validation and sanitization of git branch names when Composer processes packages installed from source repositories. When a repository contains a specially crafted branch name with embedded command sequences, Composer fails to properly escape or validate this input before using it in shell operations.
This allows an attacker who controls a git repository (or can inject malicious branch names) to embed shell metacharacters or command sequences within branch names that get executed when the affected Composer commands process the repository metadata.
Attack Vector
The attack vector is network-based but requires user interaction. An attacker must:
- Create or compromise a git repository used as a Composer dependency
- Craft a malicious branch name containing command injection payloads
- Wait for a victim to install the dependency via git source (--prefer-source or default behavior)
- The victim must then execute one of the vulnerable commands: status, reinstall, or remove
The malicious branch name is not sanitized when these commands construct shell operations, allowing the embedded commands to execute with the privileges of the user running Composer. This could lead to data exfiltration, backdoor installation, or lateral movement within development infrastructure.
Detection Methods for CVE-2024-35241
Indicators of Compromise
- Unexpected command execution or process spawning during Composer operations
- Unusual network connections initiated from development environments during composer status, composer reinstall, or composer remove commands
- Git repositories with branch names containing shell metacharacters such as ;, |, $(), or backticks
- Anomalous file system changes following Composer command execution
Detection Strategies
- Monitor for unusual child processes spawned by PHP or Composer processes
- Implement file integrity monitoring on development systems and CI/CD runners
- Audit git repository branch names in dependencies for suspicious characters or patterns
- Review Composer logs and command history for unexpected behaviors
Monitoring Recommendations
- Enable verbose logging for Composer operations in production and development environments
- Configure endpoint detection to alert on shell command execution from PHP processes
- Implement network monitoring for unexpected outbound connections from build servers
- Regularly audit the list of git-sourced dependencies in composer.lock files
How to Mitigate CVE-2024-35241
Immediate Actions Required
- Upgrade Composer to version 2.2.24 (for 2.2 LTS users) or 2.7.7 (for mainline users) immediately
- Audit all projects for dependencies installed via git source and consider reinstalling from distribution packages
- Review CI/CD pipeline configurations to ensure they use patched Composer versions
- Scan existing composer.lock files for packages with git source installations
Patch Information
Security patches are available in Composer versions 2.2.24 and 2.7.7. The fixes address the improper handling of git branch names in the affected commands. Detailed patch information can be found in the GitHub Security Advisory and the associated commits:
Linux distribution users should also check for updates through their package managers. Fedora has released package announcements addressing this vulnerability.
Workarounds
- Use the --prefer-dist flag when installing packages to avoid git-based installations
- Configure preferred-install: dist in your composer.json or global Composer configuration
- Avoid using the status, reinstall, or remove commands on packages from untrusted git sources until patched
- Consider implementing repository allowlists to restrict git-based installations to trusted sources only
# Configuration example to prefer distribution packages
# Add to composer.json or ~/.composer/config.json
composer config preferred-install dist
# Or specify globally
composer config --global preferred-install dist
# When installing dependencies, explicitly use distribution packages
composer install --prefer-dist
composer update --prefer-dist
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
