DEBIAN-CVE-2025-67746

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-67746

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67746.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-67746

Upstream

CVE-2025-67746

Published

2025-12-30T16:15:47.170Z

Modified

2026-01-10T14:07:44.588829Z

Severity

1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

References

https://security-tracker.debian.org/tracker/CVE-2025-67746

Affected packages

Debian:11 / composer

Package

Name: composer
Purl: pkg:deb/debian/composer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.9-2

2.0.9-2+deb11u1

2.0.9-2+deb11u2

2.0.9-2+deb11u3

2.0.9-2+deb11u4

2.0.11-1

2.0.12-1

2.0.13-1

2.0.14-1

2.1.3-1

2.1.9-1

2.1.10-1

2.1.11-1

2.1.12-1

2.1.14-1

2.2.0~rc1-1

2.2.1-1

2.2.1-2

2.2.2-1

2.2.3-1

2.2.4-1

2.2.5-1

2.2.6-1

2.2.6-2

2.2.7-1

2.2.9-1

2.2.11-1

2.2.12-1

2.2.13-1

2.2.14-1

2.3.7-1

2.3.7-2

2.3.8-1

2.3.9-1

2.3.10-1

2.4.0~rc1-1

2.4.0-1

2.4.1-1

2.4.2-1

2.4.3-1

2.4.4-1

2.5.1-1

2.5.2-1

2.5.3-1

2.5.4-1

2.5.5-1

2.5.6-1

2.5.7-1

2.5.8-1

2.6.2-1

2.6.3-1

2.6.4-1

2.6.5-1

2.6.6-1

2.7.1-1

2.7.1-2

2.7.2-1

2.7.4-1

2.7.6-1

2.7.6-2

2.7.6-3

2.7.7-1

2.7.7-2

2.7.8-1

2.7.9-1

2.8.0-1

2.8.1-1

2.8.2-1

2.8.3-1

2.8.4-1

2.8.4-2

2.8.4-3

2.8.5-1

2.8.6-1

2.8.8-1

2.8.9-1

2.8.10-1

2.8.11-1

2.8.11-2

2.8.12-1

2.9.0~rc1-1

2.9.1-1

2.9.2-1

2.9.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67746.json"

Debian:12 / composer

Package

Name: composer
Purl: pkg:deb/debian/composer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.5-1+deb12u3

Affected versions

2.*

2.5.5-1

2.5.5-1+deb12u1

2.5.5-1+deb12u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67746.json"

Debian:13 / composer

Package

Name: composer
Purl: pkg:deb/debian/composer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.8-1+deb13u1

Affected versions

2.*

2.8.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67746.json"

Debian:14 / composer

Package

Name: composer
Purl: pkg:deb/debian/composer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.3-1

Affected versions

2.*

2.8.8-1

2.8.9-1

2.8.10-1

2.8.11-1

2.8.11-2

2.8.12-1

2.9.0~rc1-1

2.9.1-1

2.9.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67746.json"