CVE-2025-67746

EUVD-2025-205815
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
getcomposercomposer
2.0.0 ≤
𝑥
< 2.2.26
getcomposercomposer
2.3.0 ≤
𝑥
< 2.9.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
composer
bookworm
2.5.5-1+deb12u4
fixed
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
2.10.1-2
fixed
sid
2.10.2-1
fixed
trixie
2.8.8-1+deb13u2
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
composer
Amazon Linux 2023
0:2.9.3-1.amzn2023.0.1
fixed