A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks

Cyber Security

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and “backdoor every PHP package,” resulting in a supply-chain attack.

Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was deployed less than 12 hours later.

“Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders,” Composer said its release notes for versions 2.0.13 and 1.10.22 published on Wednesday. “To the best of our knowledge the vulnerability has not been exploited.”

Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer.

According to SonarSource, the vulnerability stems from the way package source download URLs are handled, potentially leading to a scenario where an adversary could trigger remote command injection. As proof of this behavior, the researchers exploited the argument injection flaw to craft a malicious Mercurial repository URL that takes advantage of its “alias” option to execute a shell command of the attacker’s choice.

“A vulnerability in such a central component, serving more than 100 million package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies,” SonarSource said.

The Geneva-based code security firm said one of the bugs was introduced in November 2011, suggesting that the vulnerable code lurked right from the time development on Composer started 10 years ago. The first “alpha” version of Composer was released on July 3, 2013.

“The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins,” Jordi Boggiano, one of the primary developers behind Composer, said.