CVE-2025-67746
ANSI Control Character Injection in Composer Causes Terminal DoS
Publication date: 2025-12-30
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getcomposer | composer | From 2.0.0 (inc) to 2.2.26 (exc) |
| getcomposer | composer | From 2.3.0 (inc) to 2.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Composer, a PHP dependency manager. In certain versions before 2.2.26 and 2.9.3, attackers who control remote sources that Composer downloads from can inject ANSI control characters into the terminal output of various Composer commands. This can cause mangled output and potentially confuse users or cause a denial of service (DoS) of the terminal application. Although no proven exploit exists and the severity is low, it is recommended to upgrade to patched versions 2.2.26 or 2.9.3.
How can this vulnerability impact me? :
The impact of this vulnerability includes the possibility of mangled terminal output which can confuse users or disrupt terminal applications by causing a denial of service (DoS). This could interfere with normal operations when using Composer, but there is no known exploit demonstrating further damage or compromise.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Composer to version 2.2.26 or 2.9.3 or later, as these versions contain the patch for this vulnerability.