Composer Command Injection Vulnerability in Perforce Integration

A command injection vulnerability has been identified in Composer, a dependency manager for PHP. This issue affects Composer versions 1.0 through 2.2.26 and 2.3 through 2.9.5. The vulnerability arises in the Perforce synchronization method, where user-supplied data is appended to a shell command without proper escaping. Additionally, the Perforce command generation method interpolates connection parameters from the source URL field, also without adequate escaping. This flaw allows attackers to inject arbitrary commands through crafted source reference or URL values containing shell metacharacters. The vulnerability can be exploited when installing or updating dependencies from source, including the default behavior when installing development versions. Notably, the issue can be triggered even if Perforce is not installed, as Composer will execute the injected commands regardless.

Impact

Exploitation of this vulnerability allows for arbitrary command injection, with the injected commands executed in the context of the user running Composer.

Remediation

Users can update to Composer versions 2.2.27 or 2.9.6, where this vulnerability has been patched. If an immediate update is not possible, dependencies can be installed from distribution packages instead of source, using the '--prefer-dist' option or the 'preferred-install: dist' configuration setting. It is also advisable to only use trusted Composer repositories.