Skip to content

Improper escaping of command arguments on Windows leading to command injection

Moderate
Seldaek published GHSA-frqg-7g38-6gcf Oct 5, 2021

Package

composer composer/composer (Composer)

Affected versions

<1.10.23 || >=2.0,<2.1.9

Patched versions

1.10.23, 2.1.9

Description

Impact

Windows users running Composer to install untrusted dependencies are affected and should definitely upgrade for safety. Other OSs and WSL are not affected.

Patches

1.10.23 and 2.1.9 fix the issue

Workarounds

None

Severity

Moderate

CVE ID

CVE-2021-41116

Weaknesses

Credits