CVE-2024-35241 Information

Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7 the status reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

Reference

https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4 https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704