HIGH · CVSS 7.3

CVE-2024-56204 — Composer cache-poisoning RCE

A cache-poisoning vulnerability in Composer (PHP dependency manager) could let a malicious package poison a victim's cache, resulting in RCE on subsequent installs.

Affects
  • Composer 2.x < 2.8.4

What an attacker does

An attacker publishes a malicious package version. When a victim installs any package that shares metadata paths, the poisoned metadata compromises Composer's cache. Subsequent installs execute attacker code.

How to detect

`composer --version` on dev + CI.

How to fix

Upgrade Composer to 2.8.4+.

Securie findinghigh · CVSS 7.3
CVE-2024-56204

How Securie catches CVE-2024-56204

Securie's PHP specialist flags Composer versions.

Scan my repo for CVE-2024-56204Securie reviews every PR · proves real issues · opens verified fix PRs

References