CVE-2025-67746

LOW EPSS 32.4%
Published Dec 30, 20256mo ago · Modified Jun 17, 20262w ago
1.3 CVSS 4.0
Low
Find Similar
Published Dec 30, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago

Description

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

CVSS Details

Base Score
1.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
32.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-74

Affected Products 2

VendorProductVersionRange
getcomposercomposer*≥2.0.0  –  <2.2.26
getcomposercomposer*≥2.3.0  –  <2.9.3

References 5

  • github.com https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
    Patch
  • github.com https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
    Patch
  • github.com https://github.com/composer/composer/releases/tag/2.2.26
    ProductRelease Notes
  • github.com https://github.com/composer/composer/releases/tag/2.9.3
    ProductRelease Notes
  • github.com https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
    Vendor Advisory

Remediation

  • github.com https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
    Patch
  • github.com https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
    Patch