The composer install
command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Avoid cloning potentially compromised repositories.
{ "nvd_published_at": "2024-06-10T22:15:09Z", "cwe_ids": [ "CWE-77" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-06-10T21:36:25Z" }