CVE-2025-67746
LOW EPSS 32.4%
Published Dec 30, 20256mo ago · Modified Jun 17, 20262w ago
1.3 CVSS 4.0
Published Dec 30, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago
Description
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
32.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-74
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| getcomposer | composer | * | ≥2.0.0 – <2.2.26 |
| getcomposer | composer | * | ≥2.3.0 – <2.9.3 |
References 5
- github.com https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
- github.com https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
- github.com https://github.com/composer/composer/releases/tag/2.2.26
- github.com https://github.com/composer/composer/releases/tag/2.9.3
- github.com https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
Remediation
- github.com https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
- github.com https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71