CVE-2026-59948 in Composer
Summary
by MITRE • 07/08/2026
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2026
This vulnerability affects Composer, a widely-used dependency manager for PHP applications that handles package installation and updates. The flaw stems from inadequate validation of package names during the dependency resolution process, specifically when processing packages from untrusted repositories other than the official Packagist.org or Private Packagist. When a malicious actor crafts a package with an invalid name that bypasses normal validation checks, Composer's installation routine can be manipulated to write files outside the intended vendor directory and project boundaries. This represents a critical path traversal vulnerability that allows arbitrary file system modifications beyond the expected installation scope.
The technical implementation of this vulnerability exploits the trust model inherent in Composer's dependency resolution mechanism. During package installation or update operations, the software performs dependency resolution without sufficient validation of package identifiers received from external repositories. This validation gap enables attackers to craft package names containing path traversal sequences or other malicious naming conventions that circumvent normal input sanitization. The flaw is particularly dangerous because it operates at the package installation level rather than during code execution, making it difficult to detect through traditional runtime security measures.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass full system compromise potential. Attackers can leverage this weakness to write malicious files directly to system directories, potentially including configuration files, executable scripts, or other critical system components. This capability enables persistent malicious presence on target systems and can facilitate further attacks such as privilege escalation, data exfiltration, or lateral movement within network environments. The vulnerability affects PHP applications that rely on Composer for dependency management across all versions prior to 2.2.29 and 2.10.2, representing a significant risk for organizations using these software versions.
Security mitigations for this vulnerability involve immediate upgrade to the patched versions 2.2.29 or 2.10.2, which implement proper package name validation during dependency resolution. Organizations should also establish strict repository whitelisting policies to prevent installation of packages from untrusted sources, implement network segmentation to limit access to external package repositories, and conduct regular security audits of installed dependencies. The vulnerability aligns with CWE-22 Path Traversal and CWE-770 Allocation of Resources Without Limits or Throttling categories, while the attack vector corresponds to techniques described in the MITRE ATT&CK framework under T1059 Command and Scripting Interpreter and T1566 Phishing. Additional defensive measures include implementing software supply chain security controls, using dependency check tools, and establishing secure development practices that validate all external package sources before integration into production environments.