CVE-2025-67746

Description

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

CVSS v3.1 Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

CWE-74 CWE-74

Affected Products

Vendor	Product	Versions
getcomposer	composer	2.0.0 — 2.2.26
getcomposer	composer	2.3.0 — 2.9.3

References

Advisories & Patches

https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917 https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71 https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g

Other References

https://github.com/composer/composer/releases/tag/2.2.26 https://github.com/composer/composer/releases/tag/2.9.3

Frequently Asked Questions

What is CVE-2025-67746? +

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue. It has a CVSS v3.1 base score of 4.3 (MEDIUM).

How severe is CVE-2025-67746? +

CVE-2025-67746 has a CVSS v3.1 score of 4.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-67746? +

CVE-2025-67746 affects products from getcomposer, specifically: composer. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-67746? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-53263

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote …

CVE-2025-27107

Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. Minecraft users who use Integrated …

CVE-2025-32699

Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.

CVE-2025-40710

Host Header Injection (HHI) vulnerability in the Hotspot Shield VPN client, which can induce unexpected behaviour when accessing third-party web …

CVE-2025-6785

Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed …

CVE-2025-7350

A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. This can lead to …