Vulnerability stems from the way package source download URLs are handled, potentially leading to remote command injection. Researchers exploited the argument injection flaw to craft a malicious Mercurial repository URL that takes advantage of its “alias” option to execute a shell command of the attacker’s choice. Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages.
Source: https://thehackernews.com/2021/04/a-new-php-composer-bug-could-enable.html