The developers of the Composer PHP package manager have fixed a critical vulnerability that could be used to execute arbitrary commands and equip each PHP package with a backdoor, leading to attacks on the supply chain. The vulnerability received the identifier CVE-2021-29472 and was discovered on April 22, 2021 by researchers from SonarSource. Less than 12 hours later, a fix for this bug was submitted.
"The command injection vulnerability in HgDriver / HgDownloader has been fixed, and other VCS drivers and loaders have been hardened," the Composer developers report in the release notes for versions 2.0.13 and 1.10.22 posted on Wednesday. "As far as we know, the vulnerability was not exploited by hackers."
According to SonarSource, the vulnerability is related to the way the download URLs of the source packages are handled, which could potentially trigger a remote command injection.
"A vulnerability in a central component that serves over 100,000,000 package metadata requests per month has a huge impact, as such a vulnerability can be exploited to steal developer credentials or redirect package downloads to third-party servers that provide dependencies with backdoors," they note at SonarSource.