CVE-2026-59947
Received Received - Intake

Composer Debug Output Credential Exposure via URL

Vulnerability report for CVE-2026-59947, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug output because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL credentials. This issue is fixed in versions 2.2.29 and 2.10.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
composer composer to 2.2.29 (inc)
composer composer to 2.10.2 (inc)
composer composer From 2.3.0 (inc) to 2.10.2 (exc)
composer composer From 1.0 (inc) to 2.2.29 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59947 is a vulnerability in Composer, a dependency manager for PHP, where authentication credentials embedded in the username part of a URL (such as a GitHub Personal Access Token in https://TOKEN@host/) were exposed in plaintext when Composer was run with very verbose debug output (-vvv). While passwords in URLs were masked, usernames were not, causing sensitive tokens to be printed in debug logs.

This happened because the components responsible for sanitizing URLs and debug output did not mask the username portion of URLs containing credentials. The issue was fixed by introducing a method that masks long tokens and certain sensitive usernames in debug output, preventing accidental exposure of these credentials.

Impact Analysis

This vulnerability can lead to the accidental exposure of sensitive authentication tokens or credentials embedded in URLs when running Composer with high debug verbosity (-vvv). If debug output is shared, logged, or stored insecurely, these tokens could be leaked to unauthorized parties.

Such exposure could allow attackers to misuse the leaked tokens to gain unauthorized access to repositories or services that the tokens protect, potentially compromising confidentiality.

However, this issue only affects users who embed credentials in URLs, run Composer with verbose debug output, and share or retain that output. The severity is rated as moderate with a CVSS score of 4.7.

Detection Guidance

This vulnerability can be detected by checking if Composer is run with the -vvv (very verbose) debug verbosity and if debug output contains credentials embedded in the username portion of URLs, such as GitHub Personal Access Tokens in URLs like https://TOKEN@host/.

To detect this on your system, you can review Composer debug logs for any exposed tokens or credentials in URLs.

Suggested commands include running Composer commands with -vvv and inspecting the output for credential exposure, for example:

  • composer update -vvv
  • composer install -vvv

Then, carefully examine the debug output for any URLs containing tokens or credentials printed in plaintext.

Mitigation Strategies

Immediate steps to mitigate this vulnerability include upgrading Composer to version 2.10.2 or 2.2.29 or later, where the issue has been fixed by masking usernames in URLs in debug output.

Additionally, avoid running Composer with the -vvv debug verbosity in environments where debug output is captured or shared, to prevent accidental exposure of credentials.

If upgrading immediately is not possible, ensure that debug logs are not stored or shared and remove any embedded credentials from URLs used in Composer configurations.

Compliance Impact

The vulnerability in Composer (CVE-2026-59947) involves the exposure of sensitive credentials, such as GitHub Personal Access Tokens, in plaintext within verbose debug output. This exposure could lead to unauthorized access if debug logs are shared or retained improperly.

Such leakage of sensitive authentication tokens can impact compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive information and credentials to prevent unauthorized access and data breaches.

Therefore, if an organization uses vulnerable versions of Composer and runs it with high debug verbosity (-vvv), it risks inadvertently exposing sensitive credentials, potentially violating confidentiality requirements mandated by these regulations.

The issue has been fixed in Composer versions 2.2.29 and 2.10.2 by masking usernames in URLs in debug output, reducing the risk of such exposure and helping maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart