Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Ubuntu 24.04 LTS: USN-7603-1 severe: composer code execution risk

Calendar Jul 02, 2025 User Avatar LinuxSecurity Advisories
1 - 2 min read
Ubuntu Large Esm H500
Topics%20covered

Topics Covered

security advisory arbitrary code execution important ubuntu software flaw composer
Several security issues were fixed in Composer. 
==========================================================================
Ubuntu Security Notice USN-7603-1
June 30, 2025

composer vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Composer.

Software Description:
- composer: Dependency Manager for PHP

Details:

Thomas Chauchefoin discovered that Composer did not correctly handle
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24828, CVE-2023-43655)

Ed Cradock discovered that Composer did not correctly handle the exclusion
of certain files. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)

Martin Haunschmid discovered that Composer did not correctly handle git
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35241)

Maciej Piechota discovered that Composer did not correctly handle VCS
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35242)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  composer                        2.7.1-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  composer                        2.2.6-2ubuntu4+esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  composer                        1.10.1-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  composer                        1.6.3-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  composer                        1.0.0~beta2-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7603-1
  CVE-2022-24828, CVE-2023-43655, CVE-2024-24821, CVE-2024-35241,
  CVE-2024-35242

Ubuntu 24.04 LTS: USN-7603-1 severe: composer code execution risk

ubuntu
Calendar Grey July 2, 2025
Dist Ubuntu Esm H88
Numerous vulnerabilities in Composer for Ubuntu editions present significant dangers necessitating prompt upgrades.
Several security issues were fixed in Composer.

Summary

A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Composer. Software Description: - composer: Dependency Manager for PHP Details: Thomas Chauchefoin discovered that Composer did not correctly handle certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24828, CVE-2023-43655) Ed Cradock discovered that Composer did not correctly handle the exclusion of certain files. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821) Martin Haunschmid discovered that Composer did not correctly handle git branch names. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-35241) Maciej Pie...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory arbitrary code execution important ubuntu software flaw composer

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS composer 2.7.1-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS composer 2.2.6-2ubuntu4+esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS composer 1.10.1-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS composer 1.6.3-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS composer 1.0.0~beta2-1ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-7603-1

CVE-2022-24828, CVE-2023-43655, CVE-2024-24821, CVE-2024-35241,

CVE-2024-35242

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-7603-1

Topics%20covered

Topics Covered

security advisory arbitrary code execution important ubuntu software flaw composer

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here