A command chain injection flaw in PHP Composer allows attackers to execute arbitrary commands and establish backdoors in every PHP package. The vulnerability has the potential to be exploited to conduct supply-chain attacks.
The vulnerability is caused by improper sanitization of URLs for repositories in root composer.json files and package source download URLs that could be interpreted as options for system commands executed by Composer.
Composer up to 1.10.21/2.0.12
Download the latest patches and upgrade to version 1.10.22 or 2.0.13 from https://github.com/composer/composer/releases/tag/2.0.13