CVE-2025-67746
December 30, 2025
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
Affected Packages
https://github.com/composer/composer.git (GITHUB):
Affected version(s) >=1.0.0-alpha1 <2.2.26Fix Suggestion:
Update to version 2.2.26https://github.com/composer/composer.git (GITHUB):
Affected version(s) >=2.3.0 <2.9.3Fix Suggestion:
Update to version 2.9.3composer/composer (PHP):
Affected version(s) >=1.0.0-alpha1 <2.2.26Fix Suggestion:
Update to version 2.2.26composer/composer (PHP):
Affected version(s) >=2.0.0 <2.2.26Fix Suggestion:
Update to version 2.2.26composer/composer (PHP):
Affected version(s) >=2.3.0 <2.9.3Fix Suggestion:
Update to version 2.9.3Related Resources (7)
Do you need more information?
Contact UsCVSS v4
Base Score:
1.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
EPSS
Base Score:
0.03
