Composer 2.9.6 Security Update: Command Injection, Credential Leak, and Weak Encryption Fixes

Composer 2.9.6 Security Update Summary Vulnerability Overview Composer version 2.9.6 fixes multiple critical security vulnerabilities, mainly involving command injection, credential leakage, and improper use of encryption algorithms. Impact Scope Command Injection Vulnerability: Triggered via malicious Perforce reference or repository definition. Git Credential Leakage: Credentials remain in git mirror after clone or update failures. Encryption Algorithm Issue: Use of insecure 3DES encryption algorithm. Unescaped User Input: Unescaped Perforce user input used in the shell command. Insufficient Branch Name Validation: Inadequate validation of git/hg/perforce/fossil identifiers, which may lead to issues. Remediation Measures Command Injection Fix: Fixed command injection vulnerabilities triggered by malicious Perforce references and repository definitions. Credential Cleanup: Cleared residual credentials in git mirrors after clone or update failures. Encryption Algorithm Upgrade: Replaced the insecure 3DES encryption algorithm. Input Escaping: Applied escaping to Perforce user inputs. Branch Name Validation: Enhanced validation logic for git/hg/perforce/fossil identifiers to ensure branch names start with specific characters. Other Fixes Fixed autoloading issue for SingleCommandApplication script commands. Fixed issue where GitHub API authentication errors were not visible to users. Fixed platform package resolution failure when Composer runs under web SAPIs. Improved clarity of error reporting when constraint resolution fails. References CVE-2026-40261 CVE-2026-40176 Issue #28462 Issue #27427 Issue #27373 Issue #2735 Issue #2743 Issue #2758 Issue #661045 Issue #683699 Issue #588276

Goal Reached Thanks to every supporter — we hit 100%!

Composer 2.9.6 Security Update: Command Injection, Credential Leak, and Weak Encryption Fixes

More from this source