SB2026070158 - Multiple vulnerabilities in composer
Published: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: N/A)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log files in Composer debug output when handling repository or package URLs with credentials embedded in the username field. A local user can run Composer with debug verbosity and cause an embedded access token to be written to verbose logs to disclose sensitive information.
Exposure occurs only when a credential is embedded in a handled URL, placed in the username slot, and the debug output is retained or shared where others can read it.
2) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to path traversal in package name validation when processing package metadata from an untrusted third-party repository during install or update. A remote attacker can publish a malicious package with an invalid package name to write files outside the vendor directory and outside the project to execute arbitrary code.
User interaction is required to perform a normal install or update, and exploitation requires a malicious or compromised package to be present in the dependency graph from an untrusted third-party repository.
3) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the bin field processing in Composer when installing a package with crafted bin entries containing .. path segments. A remote attacker can trick the victim into installing a malicious dependency to disclose sensitive information.
The issue changes file permissions of an existing target file to make it world-readable and world-executable, and user interaction is required to install, update, or require the dependency.
Remediation
Install update from vendor's website.