Composer/composer

This hub aggregates every CVE we track for Composer/composer, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 9 most recently published vulnerabilities affecting Composer/composer.

• CVE-2025-67746Composer vulnerable to ANSI sequence injection4.3Dec 30, 2025
• CVE-2024-35242Composer vulnerable to command injection via malicious git/hg branch names8.8Jun 10, 2024
• CVE-2024-35241Composer vulnerable to command injection via malicious git branch name8.8Jun 10, 2024
• CVE-2024-24821Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer8.8Feb 8, 2024
• CVE-2023-43655Remote Code Execution via web-accessible composer.phar6.4Sep 29, 2023
• CVE-2015-8371Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because...8.8Sep 21, 2023
• CVE-2022-24828Missing input validation can lead to command execution in composer8.3Apr 13, 2022
• CVE-2021-41116Command injection in composer on Windows8.2Oct 5, 2021
• CVE-2021-29472Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer8.8Apr 27, 2021