CVE Tools
Sign in

CVE-2025-67746

Composer vulnerable to ANSI sequence injection

Published: Dec 30, 2025Updated: Feb 25, 2026 Sources: CVE List NVD GHSA BDUCWE-74
NVD MITRE
4.3CVSSMEDIUM
EPSS Score
0.4%
Top 67.9%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

CVSS Vector Breakdown

AV:NAC:LPR:LUI:NS:UC:NI:NA:L
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:LAvailability
Low
Open in CVSS calculator →

Weaknesses

CWE-74

Affected Products

composercomposer
Library
DevTools & CI / artifact-registry
composergetcomposer
Library
OSS Libraries / packagist
composer/composerPackagistOSS Libraries
РЕД ОСООО «Ред Софт»
On-premOS
Operating Systems / linux-distro
ComposerNils Adermann, Jordi Boggiano
Library
OSS Libraries / generic-library
composeross-projectDevTools & CI
getcomposeross-projectOSS Librariesaka composer php dependency manager
packagistpackage-ecosystemOSS Libraries
ооо «ред софт»commercialRUOperating Systemsaka red soft
nils adermann, jordi boggianoindividual-devDEOSS Librariesaka composer

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

2 techniques
Execution
Initial Access
View detailed technique mapping

References

https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
github.com
https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
github.com
https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
github.com
and 12 more references View all →

Timeline

Published
Dec 30, 2025
Last Updated
Feb 25, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-67746 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows