CVE-2026-59946
Received Received - Intake

Path Traversal in Composer Dependency Manager

Vulnerability report for CVE-2026-59946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
composer composer to 2.2.29 (inc)
composer composer to 2.10.2 (inc)
composer composer 2.2.29
composer composer 2.10.2
composer composer From 2.3.0 (inc) to 2.10.2 (exc)
composer composer From 1.0 (inc) to 2.2.29 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Composer allows a malicious package to change file permissions on arbitrary host files to world-readable and world-executable. This can expose sensitive files, such as private keys or configuration files that normally have restrictive permissions, to unauthorized users.

Such exposure of sensitive data can impact confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

Because the vulnerability can make permission-restricted files readable by others, it potentially leads to non-compliance with these regulations' data protection and privacy controls.

The risk is higher if untrusted packages are installed and sensitive files with restrictive permissions exist in writable paths. The vulnerability does not allow direct reading or modification of file contents but compromises confidentiality by altering file permissions.

The only mitigation is upgrading to patched versions of Composer (2.2.29 or 2.10.2), as there are no workarounds.

Executive Summary

CVE-2026-59946 is a path traversal vulnerability in Composer, a dependency manager for PHP. It occurs when a package's bin entry contains ".." path segments, allowing the path to resolve outside the intended package install directory.

This flaw enables Composer's binary installation process to change the permissions (chmod) of existing host files outside the package directory, making them world-readable and world-executable during operations like composer install, update, or require.

The vulnerability arises from improper validation of package bin paths, which can be exploited by malicious packages to perform path traversal attacks.

The issue is fixed in Composer versions 2.2.29 and 2.10.2 by rejecting bin entries containing ".." segments and adding validation steps to prevent such attacks.

Impact Analysis

This vulnerability can impact you by causing Composer to change the permissions of sensitive files outside the package directory, making them world-readable and world-executable.

Files that were previously restricted (e.g., private keys or configuration files with permissions like 0600) could become accessible to unauthorized users on the system.

While the vulnerability does not allow reading, modifying, or executing the contents of these files, it compromises confidentiality by exposing sensitive files to other users.

The impact depends on the privilege level of the user running Composer: as a regular user, only their own files are affected; as root, any system file can be targeted.

There are no effective workarounds other than upgrading to a patched Composer version (2.2.29 or 2.10.2).

Detection Guidance

This vulnerability involves Composer packages containing bin entries with ".." path segments that allow path traversal and unintended chmod operations on host files during composer install, update, or require commands.

To detect this vulnerability on your system, you should check the versions of Composer installed and verify if any installed packages have bin entries containing ".." path segments.

Suggested commands include:

  • Check Composer version: `composer --version` to ensure it is below 2.2.29 or 2.10.2 (vulnerable versions).
  • Inspect installed packages' composer.json files or lock files for bin entries containing ".." path segments, for example by running a recursive grep:
  • `grep -r '"bin"' vendor/ | grep '\.\.'`
  • Alternatively, parse the composer.lock file to identify any bin entries with path traversal sequences.

Since the vulnerability is related to path traversal in package bin entries, detecting such entries in your dependencies is key to identifying exposure.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Composer to a patched version that addresses this vulnerability.

  • Upgrade Composer to version 2.10.2 or later, or 2.2.29 or later, where the vulnerability is fixed.

There are no effective workarounds such as using `--no-scripts`, `--no-plugins`, or plugin allow-lists, because the permission change occurs during binary installation.

Avoid installing untrusted packages or dependencies, especially those that might contain malicious bin entries with path traversal sequences.

Review and audit your dependencies for suspicious bin entries containing ".." path segments before installation.

If you have sensitive files with restrictive permissions in writable paths, consider restricting write permissions or isolating those files to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart