The developers of Composer, a package manager for PHP, have released an update that addresses a critical vulnerability. If exploited, this flaw allows attackers to execute arbitrary commands and «backdoor» every PHP package.

The critical flaw was identified as CVE-2021-29472 and was reported by SonarSource last week. To the developers' credit, it should be noted that the urgent patch was released in less than 12 hours.

“We have fixed a command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders,” Composer said in its release notes – packagist.com.

Source: anti-malware.ru