CVE-2025-67746
📋 TL;DR
This CVE describes a vulnerability in Composer PHP dependency manager where attackers controlling remote package sources could inject ANSI control characters into terminal output. This could cause mangled terminal displays, confusion for users, or potential denial-of-service of terminal applications. Users of Composer 2.x versions before 2.2.26 and 2.9.3 are affected.
💻 Affected Systems
- Composer PHP Dependency Manager
📦 What is this software?
Composer by Getcomposer
Composer by Getcomposer
⚠️ Risk & Real-World Impact
Worst Case
Terminal applications could crash or become unusable due to malformed ANSI sequences, causing disruption to development workflows and potentially interrupting automated build processes.
Likely Case
Confusing or garbled terminal output that requires users to restart their terminal session, causing minor productivity disruption.
If Mitigated
With proper controls like using patched versions or trusted sources only, impact is minimal to none.
🎯 Exploit Status
Exploitation requires attackers to control or compromise remote package repositories that users download from. No proven exploits exist according to the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.26 or 2.9.3
Vendor Advisory: https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
Restart Required: No
Instructions:
1. Check current Composer version: composer --version
2. Update Composer: composer self-update --stable
3. Verify update: composer --version should show 2.2.26+ or 2.9.3+
4. For global installations, use: composer self-update --rollback if needed
🔧 Temporary Workarounds
Use only trusted package sources
allConfigure Composer to only download packages from trusted, verified repositories
composer config --global secure-http true
composer config --global disable-tls false
Disable ANSI output
allRun Composer with ANSI output disabled to prevent control character injection
composer --no-ansi [command]
🧯 If You Can't Patch
- Only download packages from trusted, verified repositories and avoid untrusted sources
- Monitor Composer output for unusual characters or garbled displays and investigate sources if observed
🔍 How to Verify
Check if Vulnerable:
Run 'composer --version' and check if version is before 2.2.26 or 2.9.3Check Version:
composer --versionVerify Fix Applied:
Run 'composer --version' and confirm version is 2.2.26 or higher, or 2.9.3 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual terminal output with ANSI escape sequences from Composer commands
- Terminal applications crashing or hanging during Composer operations
Network Indicators:
- Composer downloading packages from unusual or untrusted repositories
SIEM Query:
process.name:"composer" AND (event.action:"download" OR event.action:"install") AND network.destination.domain NOT IN ["packagist.org", "repo.packagist.org"]🔗 References
- https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
- https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
- https://github.com/composer/composer/releases/tag/2.2.26
- https://github.com/composer/composer/releases/tag/2.9.3
- https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
