| Name | CVE-2026-45793 |
| Description | Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUB_TOKEN values using the ghs_<id>_<base64url-JWT> format can contain -, fail validation, and be disclosed to stderr or CI logs. This issue is fixed in versions 1.10.28, 2.2.28, and 2.9.8. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| composer (PTS) | bullseye (security), bullseye | 2.0.9-2+deb11u4 | vulnerable |
| bookworm | 2.5.5-1+deb12u5 | fixed | |
| bookworm (security) | 2.5.5-1+deb12u2 | vulnerable | |
| trixie | 2.8.8-1+deb13u3 | fixed | |
| forky, sid | 2.10.2-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| composer | source | bookworm | 2.5.5-1+deb12u5 | |||
| composer | source | trixie | 2.8.8-1+deb13u3 | |||
| composer | source | (unstable) | 2.10.0-1 |
https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2