CVE-2026-59948 PUBLISHED

Composer: Arbitrary file write outside vendor via malicious transitive package name

Assigner: GitHub_M
Reserved: 07.07.2026 Published: 08.07.2026 Updated: 09.07.2026

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7

Product Status

Vendor composer
Product composer
Versions
  • Version >= 1.0, < 2.2.29 is affected
  • Version >= 2.3.0, < 2.10.2 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
  • CWE-787: Out-of-bounds Write CWE