Composer has released version 2.9.6 和 2.2.27 LTS to address two command injection vulnerabilities in its Perforce VCS driver: CVE-2026-40261 和 CVE-2026-40176 。
Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver. CVE-2026-40261 was reported by Koda Reef and CVE-2026-40176 was reported by saku0512.
To the best of our knowledge, neither vulnerability has been exploited prior to publication.
The vulnerabilities are located in Composer's Perforce VCS driver and involve insufficient escaping of values used in shell command construction.
Vulnerability Details
The first issue,
CVE-2026-40176
, affects the
Perforce::generateP4Command()
method. It can be exploited if a malicious project includes attacker-controlled Perforce connection parameters such as the port, user, or client in a root
composer.json
file. This is limited to the root project configuration or Composer config, not dependency package
composer.json
文件。
The second issue,
CVE-2026-40261
, impacts the
Perforce::syncCodeBase()
method. It allows command injection via a crafted source reference. This can occur when installing or updating dependencies from a malicious or compromised Composer repository, especially when using source installs like
--prefer-source
(default for dev versions). Notably, Perforce does not need to be installed for the injected command to be attempted.
Mitigation and Recommendations
The Composer team recommends updating immediately and both issues are fixed in Composer 2.9.6 (mainline) and 2.2.27 (2.2 LTS):
作曲家
self-updateAdditional mitigation steps include:
- Prefer distribution installs:
--prefer-dist或者preferred-install: dist - Avoid untrusted Composer repositories
- 审查
composer.jsonbefore running Composer on unfamiliar projects
Packagist reports that scans of Packagist.org and Private Packagist found no evidence of exploitation. As a precaution:
- Perforce source metadata publication on Packagist.org was disabled on April 10, 2026
- The Perforce VCS driver has been disabled on Private Packagist since that date
At the time of disclosure, there is no indication that these vulnerabilities were exploited in the wild.
If you rely on Composer in local development, CI pipelines, or automated workflows, you should verify your version and upgrade to a patched release as soon as possible.
Read their 完整公告 详情请见此处。
