Login Sign Up

CVE-2021-41116

8.2 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-41116 is a command injection vulnerability in Composer, the PHP dependency manager, affecting Windows users who install untrusted packages. Attackers can execute arbitrary commands on the system when users install malicious dependencies. Only Windows users are affected; Linux, macOS, and WSL users are not vulnerable.

💻 Affected Systems

Products:
  • Composer
Versions: All versions before 1.10.23 and 2.x before 2.1.9
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows users installing untrusted dependencies; Linux, macOS, and WSL are not vulnerable.

📦 What is this software?

Composer by Getcomposer

View all CVEs affecting Composer →

Composer by Getcomposer

View all CVEs affecting Composer →

Tenable.sc by Tenable

View all CVEs affecting Tenable.sc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to install malware, steal credentials, or pivot to other systems.

🟠

Likely Case

Local privilege escalation or arbitrary command execution in the context of the user running Composer, potentially leading to data theft or system manipulation.

🟢

If Mitigated

Limited impact if only trusted dependencies are installed or if Composer is run in a sandboxed environment.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to install a malicious dependency; no authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.23 or 2.1.9 and later

Vendor Advisory: https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf

Restart Required: No

Instructions:

1. Update Composer using: composer self-update --stable. 2. Verify the update with: composer --version. 3. Ensure version is at least 1.10.23 or 2.1.9.

🔧 Temporary Workarounds

Avoid Untrusted Dependencies

all

Only install dependencies from trusted sources to prevent exploitation.

Use Linux or WSL

windows

Switch to Linux, macOS, or Windows Subsystem for Linux (WSL) where this vulnerability does not exist.

🧯 If You Can't Patch

  • Run Composer in a sandboxed or isolated environment (e.g., virtual machine, container) to limit potential damage.
  • Implement strict access controls and monitor for suspicious command execution from Composer processes.

🔍 How to Verify

Check if Vulnerable:

Check Composer version with: composer --version. If version is below 1.10.23 for 1.x or below 2.1.9 for 2.x, and you are on Windows, you are vulnerable.

Check Version:

composer --version

Verify Fix Applied:

Run: composer --version and confirm version is 1.10.23 or higher for 1.x, or 2.1.9 or higher for 2.x.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns from Composer processes, especially on Windows systems.

Network Indicators:

  • Outbound connections from Composer to unexpected or malicious domains.

SIEM Query:

process_name:"composer" AND command_line:*cmd* OR command_line:*powershell*

📊 Metadata

CVE ID: CVE-2021-41116
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-77
Published: October 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41116, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)