CVE-2025-67746 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-67746 Interim 1 1 2026-03-05T00:26:04Z current 2026-03-05T00:26:04Z 2026-03-05T00:26:04Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-67746 Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Module for Web and Scripting 15 SP6 SUSE Linux Enterprise Module for Web and Scripting 15 SP7 SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP4-TERADATA SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Module for Web and Scripting 15 SP6 SUSE Linux Enterprise Server 15 SP6-LTSS SUSE Linux Enterprise Module for Web and Scripting 15 SP7 SUSE Linux Enterprise Server Teradata 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Module for Web and Scripting 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Module for Web and Scripting 15 SP7 SUSE Manager Server LTS 4.3 openSUSE Leap 15.6 openSUSE Tumbleweed php-composer2 php-composer2-2.2.3-150400.3.15.1 php-composer2-2.6.4-150600.3.6.1 php-composer2-2.9.3-1.1 php-composer2-2.9.3-1.1 as a component of openSUSE Tumbleweed php-composer2-2.6.4-150600.3.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 php-composer2-2.2.3-150400.3.15.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA php-composer2-2.6.4-150600.3.6.1 as a component of openSUSE Leap 15.6 php-composer2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS php-composer2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS php-composer2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS php-composer2 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 php-composer2 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 php-composer2 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS php-composer2 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS php-composer2 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS php-composer2 as a component of SUSE Linux Enterprise Server Teradata 15 SP4 php-composer2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 php-composer2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 php-composer2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 php-composer2 as a component of SUSE Manager Server LTS 4.3 php-composer2 as a component of openSUSE Leap 15.6 Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue. CVE-2025-67746 openSUSE Tumbleweed:php-composer2-2.9.3-1.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.6.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:php-composer2-2.2.3-150400.3.15.1 openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.6.1 low 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L