CVE-2026-59946 in Composerinfo

Summary

by MITRE • 07/08/2026

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in Composer represents a critical path traversal flaw that enables malicious package authors to manipulate the binary installation process and compromise host system security. This issue affects versions prior to 2.2.29 and 2.10.2 of the PHP dependency manager, where the package bin entry validation fails to properly sanitize path segments containing double dots. The flaw resides in how Composer handles relative paths during package installation, specifically when processing binary executables that are installed into the system's bin directory.

The technical exploitation occurs when a malicious package contains a bin entry with .. path segments that traverse outside the intended package installation directory. During the composer install, update, or require operations, this vulnerability allows the installer to target existing files on the host system rather than restricting operations to the package's designated location. The compromised process executes chmod operations that set world-readable and world-executable permissions on targeted host files, effectively creating potential attack vectors for privilege escalation.

This vulnerability maps directly to CWE-22 Path Traversal and CWE-73 Import File Name with Directory Traversal, both of which are categorized under the Software Fault Pattern taxonomy. The operational impact extends beyond simple file permission changes, as it can potentially allow attackers to modify critical system files or inject malicious binaries into the execution path. The attack surface is particularly concerning in development environments where Composer is frequently used and packages from untrusted sources may be installed.

From an ATT&CK framework perspective, this vulnerability aligns with T1059 Command and Scripting Interpreter and T1546 Event Triggered Execution, as it enables the execution of malicious code through compromised binary installations. The issue demonstrates a failure in input validation and access control mechanisms within the Composer installation process, creating opportunities for attackers to modify system configurations and potentially establish persistent access.

The fix implemented in versions 2.2.29 and 2.10.2 addresses this by introducing proper path sanitization and validation that prevents traversal outside of package directories during binary installation. Organizations should immediately upgrade to these patched versions to mitigate the risk, while also implementing additional security controls such as package source verification, dependency scanning, and restricted Composer execution environments to prevent exploitation of similar vulnerabilities in other tools or custom implementations.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!