The developers of a major PHP package repository, Packagist, have announced that they have fixed a serious vulnerability that allowed injecting commands. The issue could have been used to stage supply chain attacks targeting the PHP community.
We also wrote that RCE Vulnerabilities in PHP Everywhere Plugin Threaten Thousands of WordPress Sites, and also that Critical PHP Vulnerability Allows Code to Run on Qnap Devices.Let me remind you that Packagist is not a package manager, but a hosting of PHP packages. This is Composer’s default hosting and each month Composer is used to download over 2 billion packages. In fact, Packagist is one of the largest hosting services in the PHP ecosystem as a whole.
The problem was discovered by Sonar specialists, and they report that the vulnerability, which received the identifier CVE-2022-24828 (8.8 points on the CVSS scale), allowed them to completely seize control of Packagist. According to them, the problem is a command injection bug, and is closely related to another similar bug in Composer (CVE-2021-29472), which was discovered in April 2021 and fixed not quite correctly.
Effectively, this means that package update requests could be intercepted to inject malicious dependencies by executing arbitrary commands on the internal server running the official Packagist instance.
According to Sonar researchers, the vulnerability could be used to intercept more than 100 million requests to distribute malicious dependencies. As a result, this could lead to the potential compromise of millions of servers.
To date, there is no evidence that hackers hlave already exploited the vulnerability. The fixes were rolled out to Composer versions 1.10.26, 2.2.12, and 2.3.5 after the bug was reported to Packagist maintainers by Sonar experts in April 2022.