Security Tip: Keep Your Tools Updated!
[Tip#71] We talk a lot about keeping our app dependencies updated, but we can't forget our tools like Composer also need updates too!
In case you missed the news, Composer released a security update during the week: https://blog.packagist.com/composer-2-7-and-cve-2024-24821/. This security update fixes the high severity risk CVE-2024-24821: Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.
The vulnerability is fairly easy to understand:
Composer loads two files from a project’s `vendor/composer/` directory every time it’s executed: `InstalledVersions.php` and `installed.php`. If an attacker can modify these files, they can get their malicious code running on the victim’s computer. While this is expected behaviour during normal project activity1 , Composer will also load these files during global commands, such as `composer self-update`. This becomes a major security risk if you have Composer installed globally and you update it using `sudo composer self-update`. The malicious code is now run as root on your machine!
The updated versions (v2.7.0 or v2.2.23) have been patched so they verify the `InstalledVersions.php` and `installed.php` files before loading them, in an attempt to detect and prevent malicious scripts from being injected and loaded.
Their recommendations are:
Update Composer ASAP.
Don’t run Composer with
`sudo`2.
This brings us back to the topic of this Security Tip: Keep Your Tools Updated!
Vulnerabilities can pop up anywhere across your entire development environment, from your framework and dependencies, through to your tools like Composer, Git, and PhpStorm, and on to your operating system.
Some are easier to exploit than others, but it’s important to keep them all updated.
Looking to learn more?
⏩ Security Tip #52: HTML autocomplete Attribute
▶️ In Depth #17: Storing Environment Variables Safely
👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code. 🕵️
👉 Worried about your app being hacked? Book in a Laravel Security Audit and Penetration Test! I can find the vulnerabilities before a hacker does, and help you fix them. 🕵️
Composer supports plugins, which allow you to execute your own code when Composer runs. Likewise, malicious code in a dependency can attack itself to your app so it’s loaded when your app runs. However, all of these are run as the current user. ↩
It is far safer to install Composer as the current user, rather than as root. This makes updating easier and avoids potential
`sudo`risks. If you do need to run it as root, make sure you execute the commands outside of project directories to prevent plugins and scripts from running. ↩
