New PHP Composer Vulnerability Let Attackers Execute Arbitrary Commands

PHP Composer released urgent security updates to address two critical command injection vulnerabilities. PHP Composer is an essential dependency management tool used globally by developers, making any code execution flaws highly concerning.

These specific bugs reside in the Perforce Version Control System (VCS) driver and allow attackers to execute arbitrary commands on a victim’s machine.

Users are strongly urged to immediately update their installations to Composer version 2.9.6 or the long-term support version 2.2.27.

According to the official security advisory published by Nils Adermann, the vulnerabilities stem from insufficient escaping of values when constructing shell commands.

Fortunately, the development team reports that there is currently no evidence of active exploitation in the wild prior to this public disclosure.

PHP Composer Vulnerability

The two security issues expose software developers to severe risks when handling untrusted projects or malicious package metadata.

• CVE-2026-40176: Discovered by security researcher saku0512, this vulnerability directly affects the internal method used to generate Perforce commands.

  Attackers can seamlessly inject arbitrary commands by manipulating connection parameters such as the port, user, or client within a malicious composer.json file.

  This attack vector only works if a developer manually executes Composer commands on an untrusted project directory. It cannot be triggered silently through standard installed dependencies.

• CVE-2026-40261: Reported by researcher Koda Reef, this flaw involves improper escaping when appending a source reference parameter to a system shell command.

  A compromised or malicious Composer repository can easily serve tainted package metadata that exploits this vulnerability.

  Alarmingly, an attacker does not even need Perforce software installed on the target machine, as Composer will attempt to run the injected command anyway.
   
  This is highly dangerous because it can be exploited simply by installing malicious dependencies from the source.

To protect the broader PHP developer ecosystem, security teams proactively scanned the primary public repository, Packagist.org, as well as Private Packagist environments.

These comprehensive scans revealed no existing packages attempting to exploit these specific vulnerabilities. As a strict preventative measure, the publication of Perforce source metadata has been completely disabled on both platforms since April 10, 2026.

Mitigations

The absolute most effective way to secure your local environment is to patch the software immediately. You can effortlessly upgrade to the safe releases by running the command composer.phar self-update in your terminal.

If you cannot update right away, security experts recommend the following temporary workarounds:

• Avoid installing dependencies directly from source by utilizing the --prefer-dist flag or configuring your project settings to prefer distribution files.
• Always ensure you are only relying on trusted, verified Composer package repositories.
• Carefully inspect the composer.json files of any untrusted projects before executing Composer commands, verifying that all Perforce-related fields contain valid data.

Developers using self-hosted Private Packagist solutions should expect a prompt release update containing verification tools to scan for malicious metadata on their own infrastructure

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New PHP Composer Vulnerability Let Attackers Execute Arbitrary Commands appeared first on Cyber Security News.