Path traversal in composer - #VU136612
Published: July 1, 2026
composer
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to path traversal in package name validation when processing package metadata from an untrusted third-party repository during install or update. A remote attacker can publish a malicious package with an invalid package name to write files outside the vendor directory and outside the project to execute arbitrary code.
User interaction is required to perform a normal install or update, and exploitation requires a malicious or compromised package to be present in the dependency graph from an untrusted third-party repository.