A flaw in the Packagist PHP repository could have allowed supply chain attacks

Pierluigi Paganini October 04, 2022

Experts disclosed a flaw in the PHP software package repository Packagist that could have been exploited to carry out supply chain attacks.

SonarSource Researchers disclosed details about a now-fixed vulnerability (CVE-2022-24828) in PHP software package repository Packagist,, that could have been exploited to carry out supply chain attacks. The issue was addressed within hours by the maintainers of the impacted repository. 

“Sonar discovered and responsibly disclosed a critical vulnerability in Packagist, a central component of the PHP supply chain, to help secure developer tools.” reads the post published by SonarSource.

“This vulnerability allows gaining control of Packagist. It is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

Packagist supply chain flaw

Virtually all organizations running PHP code are using Composer, which serves 2 billion software packages every month. More than a hundred million of these requests could have been hijacked to distribute malicious dependencies and compromise millions of servers.”

The experts pointed out that an attacker can have triggered the high-severity flaw to take control of the server distributing information about existing PHP software packages, and potentially to compromise every organization that uses them. 

The CVE-2022-24828 (CVSS score: 8.8) flaw is a command injection issue and the experts explained it is linked to another command injection Composer vulnerability, tracked as CVE-2021-29472.

“During our security research, we discovered a critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server.” reads the post published by SonarSource in April 2021, “A vulnerability in such a central component, serving more than 100M package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies.”

Below is the step-by-step procedure that could have allowed attackers to exploit the vulnerability against Packagist:

  • Create a project in a remote Mercurial repository;
  • Put the manifest in composer.json and add a malicious readme entry;
  • When using a payload like the one depicted above, create a file named payload.sh to perform the desired actions;
    undefined
  • Import the package on Packagist, and request an update of the package.

The researchers also published a video PoC that demonstrate the execution of arbitrary commands on the server: 

“The next step would be to modify the definition of a package to point to an unintended destination and compromise the application in which they are used; this is something that we’ve already demonstrated in our Insomni’hack talk and won’t be presented again in this article.” continues SonarSource. “The exploitability of this vulnerability on the production instance, packagist.org, was also demonstrated with a non-destructive command.”

Experts highlighted that backend services perform the association between the name of a package and where the package manager should download it from. This means that an attacker can compromise these services to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package based on data from 2021. The issue can impact most open-source and commercial PHP projects because Composer is the standard package manager for PHP.

Composer versions 1.10.26, 2.2.12, and 2.3.5 addressed the issue, the good news is that at this time there is no evidence the vulnerability has been exploited in the wild.

“We demonstrated how we discovered an argument injection in the backend services of the PHP package manager Composer and could successfully exploit it to compromise any PHP software dependency.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment