CVE-2015-8371

Name: CVE-2015-8371
Creator: NVD / NIST
Published: 2023-09-21T06:15:11.633+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 0.70%

Last modified Jun 17, 2026

CVE-2015-8371 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. EPSS estimates a 0.70% chance of exploitation in the next 30 days.

Description

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.70%

48.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-345

Affected Software

Vendor	Product	Versions	Update
Getcomposer	Composer	1.0.0	Alpha1

References

https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.htmlExploit, Third Party Advisory
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yamlThird Party Advisory
https://github.com/composer/composerProduct
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.ymlThird Party Advisory
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.htmlExploit, Third Party Advisory
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yamlThird Party Advisory
https://github.com/composer/composerProduct
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.ymlThird Party Advisory

Timeline

Published: Sep 21, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-8371?

How severe is CVE-2015-8371?

CVE-2015-8371 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.70% probability of exploitation in the next 30 days.

How do I fix CVE-2015-8371?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-8371?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST