Sign in Subscribe
Security Tips

Security Tip: Keep Your Tools Updated!

[Tip#71] We talk a lot about keeping our app dependencies updated, but we can't forget our tools like Composer also need updates too!

Stephen Rees-Carter

Stephen Rees-Carter

3 min read
Security Tip: Keep Your Tools Updated!

Back in February 2024, Composer released a security update: https://blog.packagist.com/composer-2-7-and-cve-2024-24821/. This security update fixes the high severity risk CVE-2024-24821: Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

The vulnerability is fairly easy to understand:

Composer loads two files from a project’s vendor/composer/ directory every time it is executed: InstalledVersions.php and installed.php. If an attacker can modify these files, they can get their malicious code running on the victim’s computer. While this is expected behaviour during normal project activity, Composer will also load these files during global commands, such as composer self-update.

This becomes a major security risk if you have Composer installed globally and you update it using sudo composer self-update. The malicious code is now run as root on your machine!

💡
Composer supports plugins, which allow you to execute your own code when Composer runs. Likewise, malicious code in a dependency can attach itself to your app so it’s loaded when your app runs. However, all of these are run as the current user.

The updated versions (v2.7.0 or v2.2.23) have been patched so they verify the InstalledVersions.php and installed.php files haven't been modified before loading them, in an attempt to detect and prevent malicious scripts from being injected and loaded.

The recommendations from Composer are:

  1. Update Composer ASAP.
  2. Don’t run Composer with sudo.
💡
It is far safer to install Composer as the current user, rather than as root. This makes updating easier and avoids potential sudo risks. If you do need to run it as root, make sure you execute the commands outside of project directories to prevent plugins and scripts from running.

This brings us back to the topic of this Security Tip: Keep Your Tools Updated!

Vulnerabilities can pop up anywhere across your entire development environment, from your framework and dependencies, through to your tools like Composer, Git, and PhpStorm, and on to your operating system.

Some are easier to exploit than others, but it’s important to keep them all updated.

If you found this security tip useful? 👍
Subscribe now to get weekly Security Tips straight to your inbox, filled with practical, actionable advice to help you build safer apps.

Want to learn more? 🤓
Upgrade to a Premium Subscription for exclusive monthly In Depth articles, or support my work with a one-off tip or recurring Sponsorship! Your support directly funds my security work in the Laravel community. 🥰

Need a second set of eyes on your code?
Book in a Laravel Security Audit and Penetration Test today! I also offer budget-friendly Security Reviews too.

Finally, connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.

Read more