Security Tip: Keep Your Tools Updated!

[Tip#71] We talk a lot about keeping our app dependencies updated, but we can't forget our tools like Composer also need updates too!

Security Tip: Keep Your Tools Updated!

Back in February 2024, Composer released a security update: https://blog.packagist.com/composer-2-7-and-cve-2024-24821/. This security update fixes the high severity risk CVE-2024-24821: Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

The vulnerability is fairly easy to understand:

Composer loads two files from a project’s vendor/composer/ directory every time it is executed: InstalledVersions.php and installed.php. If an attacker can modify these files, they can get their malicious code running on the victim’s computer. While this is expected behaviour during normal project activity, Composer will also load these files during global commands, such as composer self-update.

This becomes a major security risk if you have Composer installed globally and you update it using sudo composer self-update. The malicious code is now run as root on your machine!

💡
Composer supports plugins, which allow you to execute your own code when Composer runs. Likewise, malicious code in a dependency can attach itself to your app so it’s loaded when your app runs. However, all of these are run as the current user.

The updated versions (v2.7.0 or v2.2.23) have been patched so they verify the InstalledVersions.php and installed.php files haven't been modified before loading them, in an attempt to detect and prevent malicious scripts from being injected and loaded.

The recommendations from Composer are:

  1. Update Composer ASAP.
  2. Don’t run Composer with sudo.
💡
It is far safer to install Composer as the current user, rather than as root. This makes updating easier and avoids potential sudo risks. If you do need to run it as root, make sure you execute the commands outside of project directories to prevent plugins and scripts from running.

This brings us back to the topic of this Security Tip: Keep Your Tools Updated!

Vulnerabilities can pop up anywhere across your entire development environment, from your framework and dependencies, through to your tools like Composer, Git, and PhpStorm, and on to your operating system.

Some are easier to exploit than others, but it’s important to keep them all updated.