Composer patches Perforce command injection via malicious package metadata

TL;DR — Composer’s Perforce VCS handling can be abused for command injection, enabling arbitrary shell command execution during dependency installs/updates from source when malicious Perforce metadata is encountered.

What happened

Composer is the de-facto dependency manager for PHP applications and build pipelines, commonly used to fetch and update third-party packages.

A GitHub-reviewed advisory for composer/composer describes a command injection issue in Composer’s Perforce VCS support. The advisory states that Perforce::syncCodeBase() appends an attacker-controlled $sourceReference into a shell command without proper escaping, enabling injection via shell metacharacters. It further notes a related injection surface in Perforce::generateP4Command() (also referenced in a separate advisory) through unescaped Perforce connection parameters.

Two details make this operationally relevant for platform teams: (1) Composer may execute the injected command even if Perforce is not installed, and (2) the malicious values can be delivered via package metadata served by a Composer package repository, turning this into a supply-chain-shaped risk when repositories are compromised or untrusted.

Who is impacted

• Any environment running composer/composer in the affected version ranges.
• Highest-risk workflows are installs/updates from source (e.g., --prefer-source, and the advisory notes this is the default when installing dev-prefixed versions), where Composer will process VCS metadata.

Severity is marked HIGH in the advisory, with CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  "Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)"

• If you cannot update immediately, apply the vendor-listed workaround to reduce exposure.

  "Avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting."

• Treat repository trust as part of your control plane.

  "Only use trusted Composer repositories."

• Inventory where Composer executes in your org (developer workstations, CI runners, release builders) and prioritize upgrades where dependency installs occur with --prefer-source or dev-prefixed versions.