CVE-2024-2725 in CIGESv2
Summary
by MITRE • 03/22/2024
Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/15/2025
The CVE-2024-2725 vulnerability represents a critical information exposure flaw within the CIGESv2 system that allows remote attackers to access sensitive package information through a specific file path. This vulnerability stems from inadequate access controls and improper file system permissions that permit unauthorized users to retrieve the composer installed.json file which contains comprehensive details about all dependencies and packages utilized by the application. The flaw exists in the application's web server configuration or application logic that fails to properly restrict access to this sensitive metadata file.
This technical vulnerability falls under the category of information disclosure as defined by CWE-200, where sensitive data is exposed to unauthorized parties without proper authentication or authorization mechanisms. The installed.json file typically contains version numbers, package names, and dependency relationships that provide attackers with detailed insights into the application's software stack, potentially revealing outdated or vulnerable components that could be exploited in subsequent attacks. The exposure of this information creates a significant risk for attackers who can use the gathered package data to identify known vulnerabilities in specific versions of libraries and frameworks.
The operational impact of this vulnerability extends beyond simple information disclosure as it enables attackers to perform reconnaissance activities that could lead to more sophisticated attacks. By obtaining the complete list of installed packages, threat actors can map the application's dependency tree and identify potential attack vectors through known vulnerabilities in specific package versions. This information can be leveraged for privilege escalation, lateral movement, or exploitation of known vulnerabilities in third-party components. The vulnerability particularly affects applications using the composer dependency management system where the installed.json file is accessible through standard web requests.
Security professionals should implement immediate mitigations including restricting access to sensitive files through web server configuration changes, implementing proper authentication and authorization controls, and ensuring that package metadata files are not accessible through the web root. The ATT&CK framework categorizes this type of vulnerability under T1595.002 for reconnaissance techniques involving the collection of information through network scanning and T1083 for discovering files and directories. Organizations should also consider implementing web application firewalls to block access to known sensitive file paths and conduct regular security assessments to identify similar exposure vulnerabilities in their software ecosystems. Proper input validation and access control mechanisms should be enforced to prevent unauthorized access to system metadata and configuration files that could reveal critical infrastructure information.