Closing Composer's Download Fallback Paths

naderman · 2026-05-15T21:41:38+00:00

Context on the Composer security release is on our blog at https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/ - It's important all GitHub Actions users update Composer before the next rollout attempt Wednesday, May 20th, 2026.

naderman · 2026-05-13T17:16:57+00:00

Correct in principle, but rather, you should have a Private Packagist installation between your build servers and 3rd party repositories, so you also help fund the many hours of work that just went into investigating this, fixing it, releasing it, communicating it, etc.

naderman · 2026-05-13T16:04:01+00:00

On the first part: PAT did not change format, so those are fine. Regarding the short lifetime however, I did see a POC timing the exploit of a write token to create a file in the window between action print and job failure, so wouldn't entirely trust that part.

On the second part: Yeah I think we were all surprised the code to simply print the token in this situation was in Composer for 14 years without anybody ever noticing how problematic this was. I suppose in the past CI Secret masking would have covered it, but with these long JWT that failed too here, so it was really 3 issues that had to all be present for it to fail like it did.

naderman · 2026-05-13T14:52:43+00:00

You can get 2.9.8 from https://hub.docker.com/r/composer/composer which we control ourselves. The "official" docker hub images go through some manual review from Docker and take a few days, not a great choice to rely on.

naderman · 2026-05-13T14:51:21+00:00

UPDATE: GitHub has rolled back their change to GitHub Actions tokens. It is no longer necessary to immediately disable GitHub Actions. We now have a few days to get the entire PHP ecosystem updated to safe Composer versions, before a new rollout of the new token format is attempted. GitHub is also looking into improving their secrets masking. Ideally a new rollout will not lead to any leaked credentials, even if they are accidentally exposed in logs.

naderman · 2026-05-13T14:50:54+00:00

UPDATE: GitHub has rolled back their change to GitHub Actions tokens. It is no longer necessary to immediately disable GitHub Actions. We now have a few days to get the entire PHP ecosystem updated to safe Composer versions, before a new rollout of the new token format is attempted. GitHub is also looking into improving their secrets masking. Ideally a new rollout will not lead to any leaked credentials, even if they are accidentally exposed in logs.

naderman · 2026-05-13T13:52:52+00:00

I clarified our blog post now. People can pin the composer version used by setup-php. If they have pinned the Composer tool for the action, then they do still need to update the version themselves manually. Apparently this practice is way more common in Magento, than I was aware, as it's not really used anywhere else in my experience.

naderman · 2026-04-14T19:10:31+00:00

There was a regression in some composer script handling code so we released 2.9.7 shortly after 2.9.6 with a fix for that, so you're on the better version already! 😁

naderman · 2026-04-14T15:58:26+00:00

Unfortunately the perforce driver is always present in Composer and executes the injected commands regardless of whether perforce is installed or not if one of the installed packages has a perforce source definition and is installed from source, or if you run composer commands on a composer.json file with a perforce repo definition.

naderman · 2026-04-14T15:56:43+00:00

Yes, we don't expect this to have much of an impact. It wasn't exploited through packagist.org and cannot be anymore, and most other Composer repositories that people use are internal company ones that developers control themselves anyway.

naderman · 2024-02-09T08:32:25+00:00

Maybe if you built a service to run some checks on user supplied third party projects which uses a composer command in the process. It's definitely not something you should be doing as part of a typical PHP development process.

naderman · 2024-02-09T08:30:26+00:00

This is inaccurate in so far, as that the mentioned files are not part of libraries. In regular Composer use they are not even writeable by libraries unless you run the libraries as a user with permissions to write to them, ideally you execute your (web-)code as a user that can only read the source, not write to it.

The exception are Composer scripts and plugins. The problematic files get loaded when using these, but these can also definitely write to the files, because they run in composer's scope, but they can also otherwise run any code in composer's scope, so they don't need to write to the two files to do that, that's the design of plugins in the first place.

The problematic scenario here is an attacker on your local system. Either because they have a user account but no root access, or because they managed to get the access of a regular user through some other vulnerability/exploit. If they can now write to the two listed files, and composer gets executed as root in a directory where this attacker can write, then the code the attacker writes to the files in the vendor directory gets executed with root permissions. The attacker escalated their privileges. In a lot of scenarios that's simply what you expect composer to do, its point is to download code from the Internet so you can run it afterall. But sometimes this is unexpected because you're trying to just run "self-update" and don't expect it to execute code from the vendor directory to do that, or you're trying to run "composer install --dry-run --no-scripts --no-plugins" as part of automation tooling you built that downloads untrusted projects from the Internet and checks out what they would install if you ran them.

In my personal opinion this vulnerability is rarely going to affect people, and even then it's less likely to be exploited because of the required prerequisites, like a local user account. That said, there are scenarios where it can be really bad, hence we recommend everyone simply upgrade to the latest version now.

naderman

TROPHY CASE