CVE-2024-35242
Composer vulnerable to command injection via malicious git/hg branch names
8.8
HIGH
CVSS 3.1
EPSS 23.8%
Description
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
How to fix CVE-2024-35242
To remediate CVE-2024-35242, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.24 or later
- —upgrade to 2.0.9-2+deb11u3 or later
- —upgrade to 2.2.24 or later
Is CVE-2024-35242 being exploited?
Moderate — EPSS is 23.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- >= 2.0.0, < 2.2.24, >= 2.3.0, < 2.7.7
- from 0, < 2.0.9-2+deb11u3
- >= 2.0, < 2.2.24
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |