Security Tip: Keep Your Tools Updated!
[Tip#71] We talk a lot about keeping our app dependencies updated, but we can't forget our tools like Composer also need updates too!
Back in February 2024, Composer released a security update: https://blog.packagist.com/composer-2-7-and-cve-2024-24821/. This security update fixes the high severity risk CVE-2024-24821: Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.
The vulnerability is fairly easy to understand:
Composer loads two files from a project’s vendor/composer/
directory every time it is executed: InstalledVersions.php
and installed.php
. If an attacker can modify these files, they can get their malicious code running on the victim’s computer. While this is expected behaviour during normal project activity, Composer will also load these files during global commands, such as composer self-update
.
This becomes a major security risk if you have Composer installed globally and you update it using sudo composer self-update
. The malicious code is now run as root
on your machine!
The updated versions (v2.7.0 or v2.2.23) have been patched so they verify the InstalledVersions.php
and installed.php
files haven't been modified before loading them, in an attempt to detect and prevent malicious scripts from being injected and loaded.
The recommendations from Composer are:
- Update Composer ASAP.
- Don’t run Composer with
sudo
.
sudo
risks. If you do need to run it as root, make sure you execute the commands outside of project directories to prevent plugins and scripts from running.This brings us back to the topic of this Security Tip: Keep Your Tools Updated!
Vulnerabilities can pop up anywhere across your entire development environment, from your framework and dependencies, through to your tools like Composer, Git, and PhpStorm, and on to your operating system.
Some are easier to exploit than others, but it’s important to keep them all updated.