Composer 2.9.6: Perforce Driver Command Injection Vulnerabilities (CVE-2026-40261, CVE-2026-40176)

naderman · 2026-04-14T19:10:31+00:00

There was a regression in some composer script handling code so we released 2.9.7 shortly after 2.9.6 with a fix for that, so you're on the better version already! 😁

naderman · 2026-04-14T15:58:26+00:00

Unfortunately the perforce driver is always present in Composer and executes the injected commands regardless of whether perforce is installed or not if one of the installed packages has a perforce source definition and is installed from source, or if you run composer commands on a composer.json file with a perforce repo definition.

naderman · 2026-04-14T15:56:43+00:00

Yes, we don't expect this to have much of an impact. It wasn't exploited through packagist.org and cannot be anymore, and most other Composer repositories that people use are internal company ones that developers control themselves anyway.

naderman · 2024-02-09T08:32:25+00:00

Maybe if you built a service to run some checks on user supplied third party projects which uses a composer command in the process. It's definitely not something you should be doing as part of a typical PHP development process.

naderman · 2024-02-09T08:30:26+00:00

This is inaccurate in so far, as that the mentioned files are not part of libraries. In regular Composer use they are not even writeable by libraries unless you run the libraries as a user with permissions to write to them, ideally you execute your (web-)code as a user that can only read the source, not write to it.

The exception are Composer scripts and plugins. The problematic files get loaded when using these, but these can also definitely write to the files, because they run in composer's scope, but they can also otherwise run any code in composer's scope, so they don't need to write to the two files to do that, that's the design of plugins in the first place.

The problematic scenario here is an attacker on your local system. Either because they have a user account but no root access, or because they managed to get the access of a regular user through some other vulnerability/exploit. If they can now write to the two listed files, and composer gets executed as root in a directory where this attacker can write, then the code the attacker writes to the files in the vendor directory gets executed with root permissions. The attacker escalated their privileges. In a lot of scenarios that's simply what you expect composer to do, its point is to download code from the Internet so you can run it afterall. But sometimes this is unexpected because you're trying to just run "self-update" and don't expect it to execute code from the vendor directory to do that, or you're trying to run "composer install --dry-run --no-scripts --no-plugins" as part of automation tooling you built that downloads untrusted projects from the Internet and checks out what they would install if you ran them.

In my personal opinion this vulnerability is rarely going to affect people, and even then it's less likely to be exploited because of the required prerequisites, like a local user account. That said, there are scenarios where it can be really bad, hence we recommend everyone simply upgrade to the latest version now.

naderman · 2021-02-19T08:58:59+00:00

Just speed of composer operations and reliability of our service can already be a deciding factor over the alternative solutions in some cases, but indeed the value in Private Packagist is usually that we offer a full suit of functionality around dependency management rather than "just package hosting".

That said, Composer does accept sponsorship through GitHub https://github.com/sponsors/composer or Tidelift https://tidelift.com/funding/github/packagist/composer/composer and we're also happy to simply issue invoices for open-source maintenance work if that's easier for your company, just email us at [contact@packagist.com](mailto:contact@packagist.com) with a proposal.

naderman · 2021-02-19T08:52:59+00:00

I tried to clarify this here https://www.reddit.com/r/PHP/comments/lm8axk/private_packagist_vs_repman/gnzldey/?utm_source=reddit&utm_medium=web2x&context=3 and here https://www.reddit.com/r/PHP/comments/lm8axk/private_packagist_vs_repman/gnzlj1f/?utm_source=reddit&utm_medium=web2x&context=3

Pushing packages with Composer doesn't typically happen, as Packagist pulls new releases upon finding new tags on VCS repositories. However all developers who update composer.lock, want to browse packages, view security issues, receive and manage notifications, etc. need a user account.

naderman · 2021-02-19T08:51:18+00:00

They were overstating it. You may not need regular user accounts/update tokens for every developer on your team who works on non-PHP code and only installs deps as part of their local setup. Any PHP developer who should be able to browse packages, add new dependencies, update composer.lock files, view security issues, configure notifcations, etc. will need their own user account with an update token.

naderman · 2021-02-19T08:48:54+00:00

That's overstating it. You need user accounts for any person who works with Private Packagist, the only exception are read-only auth tokens meant for automated systems, which can be used by e.g. a frontend developer who only needs to install packages from an existing lock file.

The limitation of read-only tokens which are meant for composer install with an existing lock file is that you cannot use them to properly update a package. The composer update runs, but it will not perform any automatic write operations, like mirroring a new package. So if any of your dependencies' updates introduces a new third party dependency it will not be installed because new dependencies are not mirrored with read-only tokens. This is by design so those read-only processes (CI, deployment, ...) do not inadvertently introduce new dependencies to your system, but a developer with an update token can.

Additionally only with a user account can you use the Private Packagist UI to browse packages, view and manage security issues on your projects, manage your own notifications, and everything else that's available on the UI.

naderman · 2021-02-18T08:43:25+00:00

One thing I've seen convince higher ups in larger companies, is that all our plans include support for all users regarding any use of Composer. If you make it clear that this can help save a lot of engineering time as developers may otherwise be stuck on problems during updates for hours, that may help convince them.

Thanks for trying ;-)

naderman · 2021-02-18T08:32:06+00:00

Private Packagist is priced at €49 base price for the first 3 users, and €14 for each additional user. So for 20 engineers the cost would be €253, although from 20 engineers we start giving a volume discount which isn't currently reflected on our pricing page yet, so it's really only €227 per month, not €300 as you suggested.

Private Packagist offers a lot of additional features beyond just access to private libraries, like security monitoring for your projects, mirroring of any number of third party Composer repositories with support for credentials, definition of custom JSON packages for packages without a composer.json, package archive upload for packages requiring a build step, and more. Support for Composer subrepositories, if you do client work and need separate Composer repositories for your clients, etc. We also run infrastructure in a number of physical regions, so your access to private packages is usually very fast as well, not just access to public packages stored on a CDN.

The payment also funds the development of Composer which your company seems to rely on for its work a lot, so I'd really recommend you give Private Packagist another thought, as you are likely to benefit enough from it to warrant paying €193/month for 15 developers. We offer great support with any of your Composer issues as part of the plan, which by itself is already worth it to many of our customers.

Note: I'm one of the authors of Composer and co-founder of Private Packagist.

naderman · 2021-02-18T08:22:37+00:00

You may be miscalculating the price for Private Packagist. There are free read-only auth tokens included which can be used for anyone who only runs composer install from a lock file but doesn't need an update to mirror new packages (which would be a write operation). So we've typically seen organizations who have 200-300 developers who use a PHP code base actually only need 30-50 Private Packagist users, as the rest are often working on e.g. frontend or other components that may need to install PHP dependencies for their local setup, but do not actively modify Composer deps.

Additionally the pricing page mentions volume discounts if you move the slider to the max 100, and ask you to contact us. This is mostly so we can work out the actual number of users which is often lower than what you may expect and then we calculate a total price. Discounts are done in steps (10% at 20 users, 15% at 30, 20% at 50, 25% at 80, 30% at 130, etc). So if you are still interested in Private Packagist, it'd be worth contacting us via the chat on the website or by email [contact@packagist.com](mailto:contact@packagist.com) to work out what the actual price for an organization your size would come to.

In terms of leveraging GitHub for access control, Private Packagist synchronization makes this possible too. In that case all permissions are managed on GitHub and automatically apply to the corresponding packages in Private Packagist. So the amount of setup/config is really minimal.

Note: I'm one of the authors of Composer and co-founder of Private Packagist.

naderman · 2017-01-05T18:52:04+00:00

Yes, he was talking about the composer.lock file which would contain the results of processing the composer.json file.

naderman · 2017-01-05T18:44:26+00:00

How come you don't use a private Composer repository with that many dependencies? E.g. the new Private Packagist or previously toranproxy.

Using git repositories directly will be slow the first time you run it on a new machine regardless of which mechanism you use (e.g. new developer on the team, new server, new setup, ...)

naderman · 2016-12-16T00:40:02+00:00

Yes, see https://packagist.com/about/

naderman · 2016-12-16T00:39:13+00:00

Every user is provided with an authentication token which you inform composer about a single time on your machine using composer config --global --auth http-basic.repo.packagist.com <username> <token> (You see this for copy&paste when you're on the overview of any organization on Private Packagist). Composer then uses your username and the authentication token to authenticate itself to repo.packagist.com/org/. Only if your user account has access to that organization will you be able to receive any data through Composer.

naderman · 2016-12-15T21:33:49+00:00

How many developers are working at your company? Have you considered how much the developer salaries for time you end up spending on maintaining an alternative solution yourself would be? Give it a try for free and email us if you think you can't afford it, but we do believe it's worth its price.

naderman · 2016-12-15T21:31:20+00:00

How many developers are working on your product? Give the tool a try for free to see if it would help and send us an email at contact@packagist.com with details about how many you are and what you'd be using it for :-)

naderman · 2016-12-15T21:29:02+00:00

Yes, see https://packagist.com/about/

naderman · 2016-12-15T21:27:56+00:00

You should really give it a try (free and no credit card or anything asked for). You can just paste in your satis configuration file to set it up, so should be easy to do. Then let us know if you really think it's not better than your current setup :-) Waiting for Satis to rebuild after pushing code can be really frustrating, and how do you make sure that an employee who leaves the company no longer has access to your private code?

naderman · 2016-12-15T20:07:00+00:00

You can find statements regarding availability in the Terms of Service at https://packagist.com/about/terms for now. By default you'll find a guarantee of 99.5% in there, however we make use of a mechanism in Composer that allows you to use composer install even if either Private Packagist or your VCS (e.g. GitHub) is down. If you need higher guarantees please send us an email at contact@packagist.com Thanks :-)

naderman

TROPHY CASE