Main Vulnerability Database Vulnerabilities #VU131373

Information disclosure in composer - #VU131373

Published: May 13, 2026

Vulnerability identifier: #VU131373

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: getcomposer.org

Affected software:
composer

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in Composer\IO\BaseIO::loadConfiguration() when validating GitHub OAuth tokens. A remote attacker can supply a token containing invalid characters to disclose sensitive information.

The issue is triggered when the rejected token is interpolated into an exception message and written to stderr, which may be captured in GitHub Actions logs.

Remediation

Install security update from vendor's website.

Sources

https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2

Information disclosure in composer - #VU131373

Detailed vulnerability description

Remediation

Sources

Please verify you're human