Miggo Logo
Miggo Vulnerability Database
CVE-2023-43655

CVE-2023-43655:
Composer Remote Code Execution vulnerability via web-accessible composer.phar

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-43655
GHSA ID
GHSA-jm6m-4632-36hf
EPSS Score
0.83331%
CWE
CWE-74
Published
9/29/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
composer/composercomposer< 1.10.271.10.27
composer/composercomposer>= 2.0.0, < 2.2.222.2.22
composer/composercomposer>= 2.3.0, < 2.6.42.6.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Composer's entry point script (bin/composer) being executable as a PHP file in web-accessible environments with register_argc_argv enabled. The core issue is not a specific function but rather the lack of environment validation in the main script flow. The patch adds a check at the script level (not within a specific function) to abort execution when running under non-CLI SAPIs with register_argc_argv enabled. No specific functions are mentioned in the advisory or commit diffs as being vulnerable - the risk arises from the interaction between PHP's argv handling and Composer's entry point execution context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs pu*lis*in* * *ompos*r.p**r to * pu*li* w**-****ssi*l* s*rv*r w**r* t** *ompos*r.p**r **n ** *x**ut** *s * p*p *il* m*y ** imp**t** i* P*P *lso **s `r**ist*r_*r**_*r*v` *n**l** in p*p.ini. ### P*t***s *.*.*, *.*.** *n* *.**.** p*t*

Reasoning

T** vuln*r**ility st*ms *rom *ompos*r's *ntry point s*ript (*in/*ompos*r) **in* *x**ut**l* *s * P*P *il* in w**-****ssi*l* *nvironm*nts wit* r**ist*r_*r**_*r*v *n**l**. T** *or* issu* is not * sp**i*i* *un*tion *ut r*t**r t** l**k o* *nvironm*nt v*li