CVE-2024-35241— Composer vulnerable to command injection via malicious git branch name
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-35241
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Composer vulnerable to command injection via malicious git branch name
Source: NVD (National Vulnerability Database)
Vulnerability Description
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
composer 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
composer是一个应用软件。提供一个声明,管理和安装PHP项目的依赖项。 composer 2.2.24 和 2.7.7 之前版本存在安全漏洞,该漏洞源于可以使用 status、reinstall 和 remove命令以及通过 git 从源码安装的包含存储库中特制分支名称的软件包来执行代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-35241
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-35241
请登录查看更多情报信息。
- https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9cx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-35241
IV. Related Vulnerabilities
Same product: composer
- CVE-2026-40261
Composer has Command Injection via Malicious Perforce Refere - CVE-2026-40176
Composer is vulnerable to Command Injection via Malicious Pe - CVE-2025-67746
Composer vulnerable to ANSI sequence injection - CVE-2024-35242
Composer vulnerable to command injection via malicious git/h - CVE-2024-24821
Code execution and possible privilege escalation via comprom
Same vendor: composer
- CVE-2026-40261
Composer has Command Injection via Malicious Perforce Refere - CVE-2026-40176
Composer is vulnerable to Command Injection via Malicious Pe - CVE-2025-67746
Composer vulnerable to ANSI sequence injection - CVE-2024-35242
Composer vulnerable to command injection via malicious git/h - CVE-2024-24821
Code execution and possible privilege escalation via comprom
Same weakness: CWE-77
- CVE-2026-8210
aandrew-me tgpt Update helper.go helper.Update command injec - CVE-2026-42258
net-imap: Command Injection via unvalidated Symbol inputs - CVE-2026-42453
Termix: Command injection in extractArchive/compressFiles vi - CVE-2026-42271
LiteLLM: Authenticated command execution via MCP stdio test - CVE-2026-41500
electerm has Command Injection Vulnerability via runMac func
V. Comments for CVE-2024-35241
No comments yet