Packagist Developers Patched a Vulnerability That Opened the Door to Attacks on the Supply Chain

Packagist developers have fixed the vulnerability
Written by Emma Davis

The developers of a major PHP package repository, Packagist, have announced that they have fixed a serious vulnerability that allowed injecting commands. The issue could have been used to stage supply chain attacks targeting the PHP community.

We also wrote that RCE Vulnerabilities in PHP Everywhere Plugin Threaten Thousands of WordPress Sites, and also that Critical PHP Vulnerability Allows Code to Run on Qnap Devices.

Let me remind you that Packagist is not a package manager, but a hosting of PHP packages. This is Composer’s default hosting and each month Composer is used to download over 2 billion packages. In fact, Packagist is one of the largest hosting services in the PHP ecosystem as a whole.

The problem was discovered by Sonar specialists, and they report that the vulnerability, which received the identifier CVE-2022-24828 (8.8 points on the CVSS scale), allowed them to completely seize control of Packagist. According to them, the problem is a command injection bug, and is closely related to another similar bug in Composer (CVE-2021-29472), which was discovered in April 2021 and fixed not quite correctly.

An attacker controlling a Git or Mercurial repository explicitly specified by a URL in a project’s composer.json file could use specially crafted branch names to execute commands on a machine running a Composer update.reads the official Packagist April 2022 security bulletin of the year.

Effectively, this means that package update requests could be intercepted to inject malicious dependencies by executing arbitrary commands on the internal server running the official Packagist instance.

According to Sonar researchers, the vulnerability could be used to intercept more than 100 million requests to distribute malicious dependencies. As a result, this could lead to the potential compromise of millions of servers.

To date, there is no evidence that hackers hlave already exploited the vulnerability. The fixes were rolled out to Composer versions 1.10.26, 2.2.12, and 2.3.5 after the bug was reported to Packagist maintainers by Sonar experts in April 2022.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply