CVE-2026-59948
Received Received - Intake

Arbitrary File Write in Composer PHP Dependency Manager

Vulnerability report for CVE-2026-59948, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
composer composer to 2.2.29 (exc)
composer composer to 2.10.2 (exc)
composer composer to 2.2.29 (inc)
composer composer to 2.10.2 (inc)
composer composer From 2.3.0 (inc) to 2.10.2 (exc)
composer composer From 1.0 (inc) to 2.2.29 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows a malicious package to write attacker-controlled files outside the intended project directories, potentially leading to unauthorized code execution and modification of sensitive files.

Such unauthorized file writes and potential code execution could lead to breaches of confidentiality, integrity, and availability of data, which are critical concerns under standards like GDPR and HIPAA.

If exploited, this vulnerability could result in exposure or alteration of sensitive personal or health information, thereby impacting compliance with data protection regulations that require safeguarding data against unauthorized access and modification.

Therefore, organizations using vulnerable versions of Composer may face increased risk of non-compliance with these regulations unless they apply the fixes or mitigate the risk by avoiding untrusted repositories.

Executive Summary

This vulnerability affects Composer, a dependency manager for PHP. Before versions 2.2.29 and 2.10.2, Composer did not properly validate package names from untrusted repositories other than Packagist.org or Private Packagist. A maliciously crafted package with an invalid name could cause Composer to write files controlled by an attacker outside the expected vendor directory and project during install or update.

The issue arises because Composer's dependency resolution process did not correctly validate package names before writing or installing them, allowing path traversal or arbitrary file writes. This could let an attacker place files in sensitive locations on the host system.

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files outside the intended project directories during package installation or update. Such files could include malicious scripts or configuration files placed in sensitive locations like shell startup files, SSH authorized_keys, or cron entries.

The impact includes potential unauthorized code execution, system compromise, or persistence on the affected host. Because the attacker can control file contents and locations, this can lead to a full compromise of the environment where Composer is used.

Detection Guidance

This vulnerability involves maliciously crafted packages from untrusted repositories that cause Composer to write files outside the expected directories by exploiting invalid package names or path traversal in bin entries.

To detect this vulnerability on your system, you should check the versions of Composer in use and inspect your composer.lock and installed packages for suspicious or untrusted package sources.

Specifically, you can:

  • Verify your Composer version to ensure it is not vulnerable: `composer --version`
  • Audit your composer.lock file and installed packages for any packages coming from untrusted repositories other than Packagist.org or Private Packagist.
  • Look for package names or bin entries containing suspicious path traversal patterns such as ".." or unusual characters.
  • Use commands like `grep -r '\.\.' vendor/` or `grep -r '^[^a-zA-Z0-9]' composer.lock` to find suspicious entries that might indicate exploitation attempts.

Since the vulnerability requires user interaction during install or update, monitoring logs of these operations for warnings or errors related to package validation failures can also help detect attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Composer to a fixed version.

  • Upgrade Composer to version 2.2.29 or later, or 2.10.2 or later, where the vulnerability is fixed.
  • Avoid using untrusted third-party repositories that are not Packagist.org or Private Packagist.
  • If you must use third-party repositories, mirror them through Private Packagist to ensure package validation.
  • Review and validate your dependency graph to remove any suspicious or untrusted packages.

These steps prevent malicious packages from being installed and stop Composer from writing attacker-controlled files outside the intended directories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart