Cyber Resilience

CVE-2024-35242

HighRCE

Published: 10 June 2024

Published
10 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2379 96.1th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35242 is a high-severity Command Injection (CWE-77) vulnerability in Fedoraproject (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Composer is a dependency manager for PHP. CVE-2024-35242 is a command-injection vulnerability (CWE-77) affecting the 2.x branch prior to versions 2.2.24 and 2.7.7. When the `composer install` command executes inside a git or Mercurial repository containing specially crafted branch names, arbitrary commands can be injected and run. The flaw carries a CVSS 3.1 score of 8.8.

An attacker who can induce a victim to clone an untrusted repository and subsequently run `composer install` can achieve remote command execution with the privileges of the Composer process, resulting in full confidentiality, integrity, and availability impact.

Patches addressing the issue are available in Composer 2.2.24 (LTS) and 2.7.7 (mainline), with the fixes documented in the associated GitHub commits and security advisory GHSA-v9qv-c7wm-wgmf. As a workaround, users are advised to avoid cloning repositories from untrusted sources. The EPSS score reached a peak of 0.2521 and currently stands at 0.2379 after receding.

EU & UK References

Vulnerability details

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning…

more

untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Fedoraproject
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References