CVE-2025-67746

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-67746
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67746.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67746
Aliases
Downstream
Published
2025-12-30T16:11:04.776Z
Modified
2026-01-08T12:11:07.322621Z
Severity
  • 1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Composer vulnerable to ANSI sequence injection
Details

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-74"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67746.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/composer/composer

Affected ranges

Type
GIT
Repo
https://github.com/composer/composer
Events
Introduced
378b34c5e33c71d194f33e1b73a62ba22148ff13
Fixed
c6ad1d795efbea3f15805c5e5a86c5a60ba3ed87
Database specific 
{
    "versions": [
        {
            "introduced": "2.0"
        },
        {
            "fixed": "2.2.26"
        }
    ]
}
Type
GIT
Repo
https://github.com/composer/composer
Events
Introduced
934ee6eed3c3ffd0aeccef7c1d255adcf0752b24
Fixed
fb3bee27676fd852a8a11ebbb1de19b4dada5aba
Database specific 
{
    "versions": [
        {
            "introduced": "2.3"
        },
        {
            "fixed": "2.9.3"
        }
    ]
}

Affected versions

2.*

2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.3.0
2.3.1
2.3.10
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.0-RC1
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.8.0
2.8.1
2.8.10
2.8.11
2.8.12
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.9.0
2.9.0-RC1
2.9.1
2.9.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67746.json"