CVE-2025-67746
Unknown Unknown - Not Provided
ANSI Control Character Injection in Composer Causes Terminal DoS

Publication date: 2025-12-30

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67746
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getcomposer composer From 2.0.0 (inc) to 2.2.26 (exc)
getcomposer composer From 2.3.0 (inc) to 2.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Composer, a PHP dependency manager. In certain versions before 2.2.26 and 2.9.3, attackers who control remote sources that Composer downloads from can inject ANSI control characters into the terminal output of various Composer commands. This can cause mangled output and potentially confuse users or cause a denial of service (DoS) of the terminal application. Although no proven exploit exists and the severity is low, it is recommended to upgrade to patched versions 2.2.26 or 2.9.3.

Impact Analysis

The impact of this vulnerability includes the possibility of mangled terminal output which can confuse users or disrupt terminal applications by causing a denial of service (DoS). This could interfere with normal operations when using Composer, but there is no known exploit demonstrating further damage or compromise.

Mitigation Strategies

Upgrade Composer to version 2.2.26 or 2.9.3 or later, as these versions contain the patch for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart