1.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67746

CVE-2025-67746: Composer vulnerable to ANSI sequence injection

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67746

CVE-2025-67746:

1.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
composer/composer	composer	>= 2.0.0, < 2.2.26	2.2.26
composer/composer	composer	>= 2.3.0, < 2.9.3	2.9.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Composer's handling of output displayed in the terminal. Data from remote sources, such as security advisories or package information, could contain ANSI escape sequences. When Composer commands rendered this data, these sequences were not sanitized, allowing them to be interpreted by the user's terminal. This could lead to garbled output, UI confusion, or a denial-of-service condition on the terminal application.

The patch addresses this by introducing a new static method, Composer\IO\ConsoleIO::sanitize(), which is designed to strip ANSI escape codes and other control characters from strings. This sanitization function is then applied proactively in multiple locations:

General I/O: The core write() and writeError() methods in ConsoleIO now sanitize all messages before they are printed, providing a broad layer of protection.
User Prompts: All functions that prompt the user for input (ask, askConfirmation, select, etc.) now sanitize the question text and any default values or choices that are displayed.
Specific Commands: Functions responsible for displaying security advisories (outputAdvisoriesTable) and abandoned package information (outputAbandonedPackages) now explicitly sanitize the data before rendering it in tables.

By implementing this output sanitization, the patch ensures that potentially malicious control characters from external sources are neutralized before they can affect the user's terminal, effectively mitigating the vulnerability.

Vulnerable functions

Composer\Advisory\Auditor::outputAdvisoriesTable

src/Composer/Advisory/Auditor.php

This function was vulnerable because it rendered advisory data directly to the console without sanitization. Since advisory data can be fetched from remote sources, a malicious advisory could inject ANSI escape codes to manipulate the terminal output.

Composer\Advisory\Auditor::outputAbandonedPackages

src/Composer/Advisory/Auditor.php

This function was vulnerable because it rendered package names and replacement suggestions directly to the console. This data, originating from package repositories, could contain malicious ANSI escape codes, leading to terminal manipulation.

Composer\IO\ConsoleIO::write

src/Composer/IO/ConsoleIO.php

This function writes messages to the standard output. Before the patch, it did not sanitize the messages, allowing specially crafted strings with ANSI escape codes to be printed to the terminal, which could manipulate the terminal's state or display.

Composer\IO\ConsoleIO::writeError

src/Composer/IO/ConsoleIO.php

This function writes messages to the standard error output. Before the patch, it did not sanitize the messages, allowing specially crafted strings with ANSI escape codes to be printed to the terminal, which could manipulate the terminal's state or display.

Composer\IO\ConsoleIO::ask

src/Composer/IO/ConsoleIO.php

This function asks a question to the user. The question text was not sanitized, allowing an attacker to inject ANSI escape codes into the terminal prompt.

Composer\IO\ConsoleIO::askConfirmation

src/Composer/IO/ConsoleIO.php

This function asks a confirmation question. The question text was not sanitized, allowing an attacker to inject ANSI escape codes into the terminal prompt.

Composer\IO\ConsoleIO::askAndValidate

src/Composer/IO/ConsoleIO.php

This function asks a question with validation. The question text was not sanitized, allowing an attacker to inject ANSI escape codes into the terminal prompt.

Composer\IO\ConsoleIO::askAndHideAnswer

src/Composer/IO/ConsoleIO.php

This function asks a question and hides the answer. The question text was not sanitized, allowing an attacker to inject ANSI escape codes into the terminal prompt.

Composer\IO\ConsoleIO::select

src/Composer/IO/ConsoleIO.php

This function prompts the user to select from a list of choices. The question text and the choices were not sanitized, allowing an attacker to inject ANSI escape codes into the terminal prompt and options.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

1.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67746: Composer vulnerable to ANSI sequence injection

CVE-2025-67746:

1.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-67746: Composer vulnerable to ANSI sequence injection

1.3

1.3

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI