CVE CyberSecurity Database News

CVE-2023-43655 - Composer Remote Code Execution Vulnerability Explained

Poster -

Composer is the go-to dependency manager for PHP projects. But if you're running a Composer PHAR file on a public server, you might be risking your entire site—and potentially your server—because of a dangerous security vulnerability: CVE-2023-43655. In this post, I’ll break down what this vulnerability is, how it works, how attackers might exploit it, and, most importantly, what you need to do to keep your site safe.

The Vulnerability: CVE-2023-43655 At a Glance

CVE-2023-43655 is a remote code execution (RCE) vulnerability discovered in Composer when the following conditions are met:

The web server is configured to allow execution of the .phar file as PHP code.

This makes it possible for an attacker to run arbitrary PHP code—potentially taking over your server.

Official Advisory and References

- GitHub Security Advisory: GHSA-gc3c-69g4-3jq6
- NVD Details: CVE-2023-43655
- Composer Changelog (2.6.4)

How Does the Exploit Work?

If you place composer.phar in a public directory on your server, and your server allows it to be executed via the browser (like https://yoursite.com/composer.phar), an attacker can trigger Composer with arguments of their own choosing.

Specifically, with register_argc_argv enabled, PHP passes URL request parameters as command-line arguments (argv[]/argc), making it possible for remote attackers to inject arguments to Composer—some of which can lead to execution of arbitrary PHP commands.

An attacker crafts a URL like

https://yoursite.com/composer.phar?1=--help

But more dangerously, they could pass commands triggering the eval-like behavior. Suppose Composer had a vulnerable command or script, the attacker might use:

https://yoursite.com/composer.phar?1=run-script&2=php echo shell_exec('id');

When composer.phar runs, something like this happens in PHP

$argv = $_SERVER['argv']; // Arguments passed from the web request, with register_argc_argv enabled

Composer then processes the arguments as if they came from the command line, not realizing they originate from a remote source, enabling the attacker to pass arbitrary commands to Composer.

Let’s say Composer runs commands like this

if (isset($argv[1]) && $argv[1] === 'run-script') {
    eval($argv[2]); // Dangerous! This could interpret raw user input.
}

With register_argc_argv enabled and composer.phar accessible, the following request could run ANY PHP CODE on your server:

https://yoursite.com/composer.phar?1=run-script&2=phpinfo();

While Composer itself does not contain a straight eval($argv[2]), the logic demonstrates why passing unchecked arguments is dangerous and how this CVE works.

1.10.27 (very old LTS)

- Download the latest composer.phar here

Best Practices

- Put composer.phar in your project root (outside web root)—never in a web-accessible directory.

For Apache (.htaccess)

<Files ~ "\.phar$">
    Order allow,deny
    Deny from all
</Files>

For Nginx

location ~* \.phar$ {
    deny all;
}

Double-check your php.ini - register_argc_argv should be OFF for production web servers.

- Secure your servers from this and similar bugs by following the principle of least privilege—don’t expose what you don’t need to.

Final Words

CVE-2023-43655 is a strong warning about safe DevOps for PHP: never expose development artifacts publicly, and always mind your PHP configuration. The PHP community moves quickly to patch such issues, so stay up-to-date and review your deployments regularly.

For more details

- Composer Security Advisories
- Official Composer Homepage

Timeline

Published on: 09/29/2023 20:15:09 UTC
Last modified on: 11/03/2023 21:15:16 UTC