CVE-2022-24828— Missing input validation can lead to command execution in composer
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-24828
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing input validation can lead to command execution in composer
Source: NVD (National Vulnerability Database)
Vulnerability Description
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
composer 参数注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
composer是一个应用软件。提供一个声明,管理和安装PHP项目的依赖项。 composer 存在参数注入漏洞,该漏洞源于缺少输入验证。攻击者可通过 VcsDriver::getFileContent() 执行命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2022-24828
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-24828
请登录查看更多情报信息。
- https://www.tenable.com/security/tns-2022-09x_refsource_CONFIRM
- https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6x_refsource_CONFIRM
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/vendor-advisoryx_refsource_FEDORA
- https://nvd.nist.gov/vuln/detail/CVE-2022-24828
IV. Related Vulnerabilities
Same product: composer
- CVE-2026-40261
Composer has Command Injection via Malicious Perforce Refere - CVE-2026-40176
Composer is vulnerable to Command Injection via Malicious Pe - CVE-2025-67746
Composer vulnerable to ANSI sequence injection - CVE-2024-35242
Composer vulnerable to command injection via malicious git/h - CVE-2024-35241
Composer vulnerable to command injection via malicious git b
Same vendor: composer
- CVE-2026-40261
Composer has Command Injection via Malicious Perforce Refere - CVE-2026-40176
Composer is vulnerable to Command Injection via Malicious Pe - CVE-2025-67746
Composer vulnerable to ANSI sequence injection - CVE-2024-35242
Composer vulnerable to command injection via malicious git/h - CVE-2024-35241
Composer vulnerable to command injection via malicious git b
Same weakness: CWE-20
V. Comments for CVE-2022-24828
No comments yet