CVE-2023-43655

Name: CVE-2023-43655
Creator: NVD / NIST
Published: 2023-09-29T20:15:09.987+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 1.38%

Last modified Jun 17, 2026

CVE-2023-43655 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. EPSS estimates a 1.38% chance of exploitation in the next 30 days.

Description

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.38%

68.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Getcomposer	Composer	< 1.10.27
Getcomposer	Composer	>= 2.0.0, < 2.2.21
Getcomposer	Composer	>= 2.3.0, < 2.6.4
Debian	Debian Linux	10.0
Fedoraproject	Fedora	37
Fedoraproject	Fedora	38

References

https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120dPatch
https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968cPatch
https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9cPatch
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hfVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00030.htmlMailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/Mailing List, Third Party Advisory
https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120dPatch
https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968cPatch
https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9cPatch
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hfVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00030.htmlMailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/Mailing List, Third Party Advisory

Timeline

Published: Sep 29, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-43655?

How severe is CVE-2023-43655?

CVE-2023-43655 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.38% probability of exploitation in the next 30 days.

How do I fix CVE-2023-43655?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-43655?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST