Log In

Latest Composer Security Vulnerabilities

Sandworm actively monitors all new Composer package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.

Follow our 𝕏 / Twitter feed for updates.

Detected On: 13 Oct 2023
Affected Install Script: install-scripts:post-update-cmd
Severity: moderate

The install script removes everything from the app/etc directory and then removes the directory itself, potentially erasing important configuration files. The script also executes a command from the 'vendor/bin/phpcs' directory with user-specified shell variables, which could potentially be exploited to achieve arbitrary code execution, depending on the inputs. These actions pose significant security concerns, as they could result in the deletion of important files and unauthorized access.

Detected On: 9 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate

The script uses the 'phive' tool to install a composer package and does it forcing the acceptance of unsigned packages. Unsigned packages are a risk as they are not verified for authenticity and integrity, thus can contain malicious code which can lead to data stealing, root access gaining or other system compromising actions.

Detected On: 8 Oct 2023
Affected Install Script: install-scripts:post-update-cmd
Severity: moderate

This script is updating or installing a Git pre-commit hook (pre-commit.php) which can be dangerous because the actual content of the pre-commit.php file is not shown. Git hooks are scripts that Git executes before or after events such as commit, push, etc. If there is any malicious code hidden in this 'pre-commit.php', it can do anything from stealing sensitive information to running harmful commands every time a git commit is made, depending on the user's permissions.

In addition, the file permission is being set to 0777, which gives read, write, and execute permissions to everyone on the file. This could allow any user to modify the pre-commit hook to include malicious code. The vulnerability arises from the open-ended nature of the pre-commit hook and the lack of control or visibility on what that hook actually does.

23 vulnerabilities