Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2026-03590

Опубликовано: 30 дек. 2025
Источник: fstec
CVSS3: 4.3
CVSS2: 4
EPSS Низкий

Описание

Уязвимость менеджера зависимостей для PHP Composer связана с недостаточной нейтрализацией специальных элементов в запросе. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код

Вендор

ООО «Ред Софт»
Nils Adermann, Jordi Boggiano

Наименование ПО

РЕД ОС
Composer

Версия ПО

8.0 (РЕД ОС)
до 2.9.3 (Composer)

Тип ПО

Операционная система
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

ООО «Ред Софт» РЕД ОС 8.0

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 4)
Средний уровень опасности (базовая оценка CVSS 3.1 составляет 4,3)

Возможные меры по устранению уязвимости

Использование рекомендаций:
https://github.com/composer/composer
https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
https://github.com/composer/composer/releases/tag/2.2.26
https://github.com/composer/composer/releases/tag/2.9.3
https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
Для Ред ОС:
https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-composer-cve-2025-67746-7.3/?sphrase_id=1456303

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 9%
0.0003
Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Связанные уязвимости

redos логотип

ROS-20260209-73-0024

CVSS3: 4.3
redos
около 2 месяцев назад

Уязвимость composer

ubuntu логотип

CVE-2025-67746

CVSS3: 4.3
ubuntu
3 месяца назад

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

redhat логотип

CVE-2025-67746

CVSS3: 3.5
redhat
3 месяца назад

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

nvd логотип

CVE-2025-67746

CVSS3: 4.3
nvd
3 месяца назад

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

debian логотип

CVE-2025-67746

CVSS3: 4.3
debian
3 месяца назад

Composer is a dependency manager for PHP. In versions on the 2.x branc ...

EPSS

Процентиль: 9%
0.0003
Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2