Composer ANSI Control Character Injection Vulnerability

A vulnerability exists in Composer, a dependency manager for PHP, specifically in versions 2.0 through 2.2.25 and 2.3 prior to 2.9.3. This vulnerability allows attackers controlling remote sources from which Composer downloads to inject ANSI control characters into the terminal output of various Composer commands. This injection can distort the output, potentially causing confusion or leading to a denial-of-service condition in the terminal application.

Impact

Exploitation of this vulnerability can cause distorted terminal output, leading to confusion or a denial-of-service condition in the affected terminal application.

Reproduction

The vulnerability can be reproduced by using a version of Composer that is affected by this issue and by downloading from a remote source that injects ANSI control characters. This can be done by creating a package that includes such characters and hosting it in a repository that Composer can access. Once the package is installed, the injected characters will disrupt the normal output of Composer commands, demonstrating the vulnerability.

Remediation

Users can upgrade to Composer versions 2.2.26 or 2.9.3 to address this vulnerability.