CVE-2015-8371 – CVE-2015-8371 is a cache poisoning vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2015-8371?

CVE-2015-8371 has a CVSS score of 8.8 (HIGH). CVE-2015-8371 is a cache poisoning vulnerability in Composer that allows attackers to inject malicious code into server-side build processes. The vulnerability occurs because Composer uses predictable cache keys based on package metadata, enabling attackers to poison the cache with their own packages. This affects projects using Composer versions before 1.0.0 on shared hosting environments.

📋 TL;DR

CVE-2015-8371 is a cache poisoning vulnerability in Composer that allows attackers to inject malicious code into server-side build processes. The vulnerability occurs because Composer uses predictable cache keys based on package metadata, enabling attackers to poison the cache with their own packages. This affects projects using Composer versions before 1.0.0 on shared hosting environments.

💻 Affected Systems

Products:

Composer

Versions: All versions before 1.0.0 (specifically through 1.0.0-alpha11)

Operating Systems: All operating systems running Composer

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects shared hosting environments where multiple projects use the same Composer cache directory.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on build servers, allowing attackers to compromise production systems and steal sensitive data.

🟠

Likely Case

Malicious package injection leading to supply chain attacks and compromised application builds.

🟢

If Mitigated

Limited to isolated development environments with proper access controls and cache separation.

🌐 Internet-Facing: HIGH - Build servers accessible from the internet are directly vulnerable to cache poisoning attacks.

🏢 Internal Only: MEDIUM - Shared internal build environments remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to the same filesystem as the target Composer installation, making shared hosting environments particularly vulnerable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0

Vendor Advisory: https://github.com/composer/composer/security/advisories/GHSA-5g8f-3j6p-v2gj

Restart Required: No

Instructions:

1. Update Composer to version 1.0.0 or later using: composer self-update 2. Clear existing cache: composer clear-cache 3. Verify update with: composer --version

🔧 Temporary Workarounds

Isolate Composer cache per project

all

Set unique cache directories for each project to prevent cross-project cache poisoning

export COMPOSER_CACHE_DIR=/path/to/project-specific/cache

Disable dist package caching

all

Prevent caching of dist packages entirely

composer config --global cache-files-dir false

🧯 If You Can't Patch

Isolate build environments so each project has its own dedicated Composer installation
Implement strict filesystem permissions to prevent unauthorized access to Composer cache directories

🔍 How to Verify

Check if Vulnerable:

Check Composer version with: composer --version. If version is below 1.0.0, the system is vulnerable.

Check Version:

composer --version

Verify Fix Applied:

Verify Composer version is 1.0.0 or higher with: composer --version

📡 Detection & Monitoring

Log Indicators:

Unexpected package downloads from unusual sources
Cache directory modifications from unauthorized users

Network Indicators:

Unusual outbound connections from build servers during package resolution

SIEM Query:

Process execution logs showing composer commands with suspicious package names or sources

📊 Metadata

CVE ID: CVE-2015-8371

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-345

Published: September 21, 2023

Last Updated: November 21, 2024

🔗 References

https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html Exploit,Third Party Advisory
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml Third Party Advisory
https://github.com/composer/composer Product
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml Third Party Advisory
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html Exploit,Third Party Advisory
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml Third Party Advisory
https://github.com/composer/composer Product
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8371, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

Composer by Getcomposer

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Isolate Composer cache per project

Disable dist package caching

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities