Impact
The Perforce::syncCodeBase() method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the Perforce::generateP4Command() method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping from the source url field. Composer would execute these injected commands even if Perforce is not installed.
The source reference and url are provided as part of package metadata. Any Composer package repository can serve package metadata declaring perforce as a source type with a malicious source reference or source url. This means the vulnerability can be exploited through any package served by a compromised or malicious Composer repository. An attack does not require Perforce to be installed on the client, as Composer will attempt to execute the constructed command regardless.
This vulnerability is exploitable when installing or updating dependencies from source (--prefer-source, default when installing dev prefixed versions), even if you do not use Perforce.
Patches
Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)
Note, the fix for the source url in the Perforce::generateP4Command() was addressed as part of the patches for GHSA-wg36-wvj6-r67p / CVE-2026-40176 in the same versions.
Workarounds
- Avoid installing dependencies from source by using
--prefer-dist or the preferred-install: dist config setting.
- Only use trusted Composer repositories.
References
kodareef5 Reporter
Impact
The
Perforce::syncCodeBase()method appended the$sourceReferenceparameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 thePerforce::generateP4Command()method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping from the source url field. Composer would execute these injected commands even if Perforce is not installed.The source reference and url are provided as part of package metadata. Any Composer package repository can serve package metadata declaring perforce as a source type with a malicious source reference or source url. This means the vulnerability can be exploited through any package served by a compromised or malicious Composer repository. An attack does not require Perforce to be installed on the client, as Composer will attempt to execute the constructed command regardless.
This vulnerability is exploitable when installing or updating dependencies from source (
--prefer-source, default when installing dev prefixed versions), even if you do not use Perforce.Patches
Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)
Note, the fix for the source url in the
Perforce::generateP4Command()was addressed as part of the patches for GHSA-wg36-wvj6-r67p / CVE-2026-40176 in the same versions.Workarounds
--prefer-distor thepreferred-install: distconfig setting.References