CVE-2024-35242 Overview
CVE-2024-35242 is a command injection vulnerability in Composer, the dependency manager for PHP. The flaw affects versions on the 2.x branch prior to 2.2.24 and 2.7.7. When composer install runs inside a Git or Mercurial repository, a specially crafted branch name is passed unsanitized into a shell command line. An attacker who controls a repository can trigger arbitrary command execution on the developer or CI host that clones and installs it. The issue is tracked under [CWE-77: Command Injection] and is documented in the GitHub Security Advisory GHSA-v9qv-c7wm-wgmf.
Critical Impact
Cloning and installing an untrusted PHP project can lead to arbitrary command execution on the host running Composer, enabling supply-chain compromise of developer workstations and CI/CD runners.
Affected Products
- Composer 2.x branch prior to 2.2.24 (2.2 LTS)
- Composer 2.x branch prior to 2.7.7 (mainline)
- Fedora packages of Composer covered by the Fedora package announcement
Discovery Timeline
- 2024-06-10 - CVE-2024-35242 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-35242
Vulnerability Analysis
The vulnerability resides in src/Composer/Package/Version/VersionGuesser.php. When Composer attempts to determine the version of a feature branch, it shells out to git rev-list using a string template that includes branch names. Branch names in Git and Mercurial may contain shell metacharacters, and Composer historically interpolated them into a single command string passed to a shell. An attacker who publishes a repository containing a branch with a name such as $(payload) can have that payload executed by the shell that Composer spawns. Exploitation requires the victim to clone the malicious repository and run composer install, which is a routine workflow in PHP development and continuous integration.
Root Cause
The VersionGuesser component built a command string by substituting %candidate% and %branch% tokens directly into 'git rev-list %candidate%..%branch%'. The resulting string was executed through a shell, so any shell metacharacters present in the branch name were interpreted rather than treated as literal arguments. This is a classic argument-versus-string command construction flaw [CWE-77].
Attack Vector
The attack vector is network-based but requires user interaction in the form of cloning an untrusted repository. Typical scenarios include a developer evaluating a third-party project, a CI job that clones a forked pull request, or any automated pipeline that runs composer install against attacker-controlled source. The injected command runs with the privileges of the user invoking Composer.
$featurePrettyVersion = $prettyVersion;
// try to find the best (nearest) version branch to assume this feature's version
- $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list %candidate%..%branch%', $path);
+ $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['git', 'rev-list', '%candidate%..%branch%'], $path);
$version = $result['version'];
$prettyVersion = $result['pretty_version'];
Source: composer/composer commit 6bd43dff. The patch converts the command from a shell string into an argv array, so branch names are passed as discrete arguments to git and are never reinterpreted by the shell. A complementary fix in the 2.2 LTS branch adds the -- separator to prevent option injection, shown in commit fc57b936.
Detection Methods for CVE-2024-35242
Indicators of Compromise
- Git or Mercurial branch references containing shell metacharacters such as $(, backticks, ;, |, or && in .git/refs/heads or .git/packed-refs.
- Unexpected child processes spawned by php or composer during composer install, particularly shells, network utilities such as curl, wget, or nc, or interpreters such as bash -c.
- Outbound connections from CI runners or developer workstations originating from a Composer process tree shortly after repository clone.
Detection Strategies
- Hunt EDR telemetry for process lineages where composer or php spawn /bin/sh -c with arguments containing branch-like tokens. Behavioral AI engines such as those in Singularity Endpoint surface these anomalous developer-tool process trees.
- Inspect repositories before installation using git for-each-ref --format='%(refname)' and flag refs containing characters outside [A-Za-z0-9._/-].
- Centralize CI logs into a SIEM and alert on Composer exit codes accompanied by unexpected child process names. The Singularity Data Lake can normalize CI and endpoint telemetry through OCSF for cross-source correlation.
Monitoring Recommendations
- Monitor composer install invocations on shared build infrastructure and capture full command lines and parent-child process relationships.
- Track installations of Composer package versions across developer endpoints and reject any host still running Composer below 2.2.24 or 2.7.7.
- Alert on first-time outbound network destinations from CI runners during the dependency-resolution phase of builds.
How to Mitigate CVE-2024-35242
Immediate Actions Required
- Upgrade Composer to 2.2.24 on the 2.2 LTS branch or 2.7.7 on mainline across all developer workstations, container images, and CI runners.
- Rebuild and republish any base images that embed Composer so downstream pipelines pull a patched binary.
- Audit recent CI runs that cloned external or fork-based repositories for unexpected processes or outbound connections.
Patch Information
Fixes are provided in upstream commits 6bd43dff and fc57b936, both linked from GHSA-v9qv-c7wm-wgmf. Distribution updates are available via the Fedora package announcements (PO4MU2BC and VLPJHM2W).
Workarounds
- Avoid cloning repositories from untrusted sources until Composer is upgraded.
- Run composer install only inside ephemeral, network-restricted sandboxes for unverified projects.
- Restrict CI jobs that build pull requests from forks to run with minimal credentials and no write access to internal artifact stores.
# Upgrade Composer to a patched release
composer self-update 2.7.7
# Or for the 2.2 LTS branch
composer self-update 2.2.24
# Verify the installed version
composer --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
