Login Sign Up

CVE-2024-35241

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Composer (PHP dependency manager) allows remote code execution when using certain commands with packages installed from git repositories containing malicious branch names. It affects Composer 2.x versions before 2.2.24 and 2.7.7, potentially impacting any PHP project using Composer with git-based dependencies.

💻 Affected Systems

Products:
  • Composer
Versions: Composer 2.x versions before 2.2.24 and 2.7.7
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where packages are installed from git repositories (not from dist packages).

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary code with the privileges of the Composer process, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Attacker gains code execution in the context of the Composer process, enabling them to modify project dependencies, steal credentials, or pivot to other systems.

🟢

If Mitigated

With proper controls, impact is limited to the specific Composer process context and isolated from critical systems.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the victim to run Composer commands on a malicious git repository with specially crafted branch names.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.24 (for 2.2 LTS) or 2.7.7 (for mainline)

Vendor Advisory: https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c

Restart Required: No

Instructions:

1. Update Composer using: composer self-update --2.2.24 (for LTS) or composer self-update --2.7.7 (for mainline). 2. Verify update with: composer --version.

🔧 Temporary Workarounds

Avoid git installations

all

Configure Composer to prefer distribution packages instead of source installations from git

composer install --prefer-dist

Configure preferred install globally

all

Set Composer configuration to always prefer dist packages

composer config -g preferred-install dist

🧯 If You Can't Patch

  • Avoid running composer status, reinstall, or remove commands on packages installed from git
  • Audit all git-based dependencies and ensure they come from trusted sources only

🔍 How to Verify

Check if Vulnerable:

Run: composer --version and check if version is below 2.2.24 (for 2.2 LTS) or below 2.7.7 (for mainline)

Check Version:

composer --version

Verify Fix Applied:

Run: composer --version and confirm version is 2.2.24 or higher (LTS) or 2.7.7 or higher (mainline)

📡 Detection & Monitoring

Log Indicators:

  • Unusual Composer process execution patterns
  • Composer commands (status, reinstall, remove) being run on git-based packages
  • Unexpected child processes spawned from Composer

Network Indicators:

  • Composer downloading packages from unexpected git repositories
  • Unusual outbound connections from Composer processes

SIEM Query:

process.name:"composer" AND (process.args:"status" OR process.args:"reinstall" OR process.args:"remove")

📊 Metadata

CVE ID: CVE-2024-35241
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: June 10, 2024
Last Updated: April 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35241, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)