CVE-2021-41116 — Improper escaping of command arguments on Windows leading to command injection

Description

### Impact Windows users running Composer to install untrusted dependencies are affected and should definitely upgrade for safety. Other OSs and WSL are not affected. ### Patches 1.10.23 and 2.1.9 fix the issue ### Workarounds None

How to fix CVE-2021-41116

To remediate CVE-2021-41116, upgrade the affected package to a fixed version below.

—upgrade to 1.10.23 or later
—upgrade to 1.10.23 or later

Is CVE-2021-41116 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.10.23, >= 2.0.0, < 2.1.9
from 0, < 1.10.23

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-41116
PATCHgithub.com/composer/composer
WEBgithub.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa
WEBgithub.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf