Composer Command Injection Vulnerability in Perforce Repository Handling

A command injection vulnerability has been identified in Composer, a dependency manager for PHP. This issue affects Composer versions 1.0 through 2.2.26 and 2.3 through 2.9.5. The vulnerability arises in the Perforce::generateP4Command() method, which creates shell commands by incorporating user-supplied Perforce connection parameters (port, user, client) without adequate escaping. An attacker could exploit this by injecting arbitrary commands through these parameters in a malicious composer.json file that specifies a Perforce VCS repository. The injected commands would be executed in the context of the user running Composer, even if Perforce is not installed. This vulnerability can only be exploited by running Composer commands on untrusted projects with attacker-supplied composer.json files, as VCS repositories are only loaded from the root composer.json or the composer config directory.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in the context of the user running Composer.

Remediation

Users can upgrade to Composer versions 2.2.27 (2.2 LTS) or 2.9.6 (mainline) to address this vulnerability. It is also recommended to inspect composer.json files for Perforce-related fields before running Composer commands, and to only use Composer on projects from trusted sources.