In the latest developments, PHP Composer has been deployed for an update that addresses a critical vulnerability within the package manager.

What is PHP Composer?

Composer’s initial release was deployed in 2021 and is a dependency manager in PHP, while also facilitating easy installation of packages relevant to a project. It allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer.

Critical vulnerability within the code:

Detailing the critical security hole or vulnerability within PHP Composer, it was provided that it could facilitate a malicious attacker with the ability of arbitrary code execution.

This could result in the malicious actor or actors’ “backdoor”-ing each PHP package and as a consequence, initiate supply-chain attacks.

The security hole within PHP Composer, tracked as CVE-2021-29472  was reported to the package manager on April 22 by security experts from SonarSource, a software and security organization.

Subsequently, a hotfix was released for the vulnerability by the maintainers of Composer in less than 12 hours.

Composer has since released a security note addressing the security vulnerability for version 2.0.13 and 1.10.22 that was published on Wednesday, and noted that “Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders”.

The security note also provides that currently there have been no reported cases of exploitation of the vulnerability.

“The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins,” stated Composer developer, Jordi Boggiano.

Millions of websites vulnerable for almost a decade:

Regarding the vulnerability, Sonarsorce has provided that it is a consequence of the manner in which the package source download URLs are manipulated, which could allow an adversary could trigger remote command injection. 

The security organization has also noted that one of the bugs in PHP Composer was seemingly imported back in November 2011, thereby implying that the security hole was persistent in the code right from the time of its development.

“A vulnerability in such a central component, serving more than 100 million package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies,” stated SonarSource.