Researchers at code security company SonarSource released technical details on the now-patched vulnerability affecting Packagist, which could have been abused to launch supply chain attacks targeting the PHP community.
The flaw, tracked as CVE-2022-24828, impacts the PHP package manager Composer, which serves 2 billion software packages every month. The vulnerability is a command injection issue that allows a remote attacker to execute arbitrary shell commands on the target system by passing specially crafted data to the application, if the Mercurial or the Git driver are used.
“An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project's composer.json can use specially crafted branch names to execute commands on the machine running composer update,” the maintainers wrote in an April 2022 advisory.
The vulnerability was patched with the release of the Composer versions 2.3.5, 2.2.12, 1.10.26 in April 2022.
SonarSource says that the vulnerability could have been used to hijack over a hundred million of requests to distribute malicious dependencies and compromise millions of servers.
CVE-2022-24828 is related to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, the researchers said, adding that they didn’t find evidence that the flaw was exploited by malicious actors.