Amazon Linux 2023 Security Advisory: ALAS2023-2026-1365
Advisory Released Date: 2026-01-23
Advisory Updated Date: 2026-01-23
Severity:
Low
Issue Overview:
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue. (CVE-2025-67746)
Affected Packages:
composer
Issue Correction:
Run dnf update composer --releasever 2023.10.20260120 or dnf update --advisory ALAS2023-2026-1365 --releasever 2023.10.20260120 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
noarch:
composer-2.9.3-1.amzn2023.0.1.noarch
src:
composer-2.9.3-1.amzn2023.0.1.src