Path traversal in composer - #VU136613
Published: July 1, 2026
composer
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the bin field processing in Composer when installing a package with crafted bin entries containing .. path segments. A remote attacker can trick the victim into installing a malicious dependency to disclose sensitive information.
The issue changes file permissions of an existing target file to make it world-readable and world-executable, and user interaction is required to install, update, or require the dependency.