CVE-2026-59946 PUBLISHED

Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files

Assigner: GitHub_M
Reserved: 07.07.2026 Published: 08.07.2026 Updated: 09.07.2026

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CVSS Score: 6.1

Product Status

Vendor composer
Product composer
Versions
  • Version >= 1.0, < 2.2.29 is affected
  • Version >= 2.3.0, < 2.10.2 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource CWE