Update shivammathur/setup-php action to v2.37.1 [SECURITY]#637
Open
renovate[bot] wants to merge 1 commit into
Open
Update shivammathur/setup-php action to v2.37.1 [SECURITY]#637renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
| datasource | package | from | to | | ----------- | ---------------------- | ------ | ------ | | github-tags | shivammathur/setup-php | 2.37.0 | 2.37.1 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## 1.16.x #637 +/- ##
=========================================
Coverage 64.58% 64.58%
Complexity 301 301
=========================================
Files 51 51
Lines 1279 1279
=========================================
Hits 826 826
Misses 453 453 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.37.0→2.37.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Setup PHP: Command Injection in Repository-Derived PHP Version Resolution
CVE-2026-46420 / GHSA-pqwm-q9pv-ph8r
More information
Details
Summary
A command injection vulnerability was identified in
shivammathur/setup-phpwhen the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script.In affected versions,
setup-phpmay read the PHP version from:.php-versioncomposer.lockviaplatform-overrides.phpcomposer.jsonviaconfig.platform.phpIf an attacker can influence one of these files and the workflow executes
setup-phpin a trusted context, they may be able to execute commands on the GitHub Actions runner.Impact
This issue is exploitable when
setup-phpis run after checking out attacker-controlled repository contents and resolves the PHP version from repository files.The most significant example is a privileged workflow such as
pull_request_targetthat checks out untrusted pull request code before invokingsetup-php. Similar risk can also arise in other workflows that operate on attacker-controlled refs, branches, or repository contents in a trusted context.This is not a separate security boundary when an attacker can already modify the workflow definition itself or directly control the
php-versionworkflow input, since that level of access already permits arbitrary command execution in GitHub Actions.Technical details
In affected versions, repository-derived PHP version values were insufficiently constrained before being incorporated into the generated shell or PowerShell setup script executed by the action. This could allow attacker-controlled values from supported repository files to influence script execution in trusted workflow contexts.
Remediation
If you are using
shivammathur/setup-php@v2, no action is needed on your end. Users who pin the setup-php release version or release version SHA should upgrade to a patched version.The fix validates PHP version inputs, constrains manifest-derived versions, hardens script generation at the execution, and includes additional checks in related input-handling paths.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions
GHSA-5wxr-w449-57cm
More information
Details
Impact
This affects only workflows that pin an exact affected Composer semver version through setup-php, for example
tools: composer:2.9.7.Workflows using the default Composer version,
composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have been updated to patched Composer releases for all setup-php versions.setup-php does not directly print the token. The token may be exposed through Composer when Composer validates github-oauth auth and rejects GitHub's newer hyphen-containing token format.
Public repository logs may expose the token. GitHub-hosted runner GITHUB_TOKEN values expire after the job, but exposure may still matter during the token lifetime and for longer-lived GitHub App or user tokens.
Patches
setup-php 2.37.1 skips generated GitHub OAuth auth for pinned Composer versions affected by Composer GHSA-f9f8-rm49-7jv2 while preserving other Composer auth, including Packagist auth.
Workarounds
Upgrade to setup-php
2.37.1or newer. You can also avoid the affected path by using a patched Composer version: 2.9.8, 2.2.28, 1.10.28, or newer supported Composer releases.It is recommended to avoid pinning affected Composer versions such as
composer:2.9.7, unless you have automations to do timely updates in your workflows.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
shivammathur/setup-php (shivammathur/setup-php)
v2.37.1Compare Source
Changelog
Security Updates
Fixes and Improvements
Fixed support for
phalconon Windows.Fixed restoring tools when using cached using previous runs.
Improved enabling
gearmanextension on Linux.Fixed fallback when installing
PhpManagerandVcRedistmodules on Windows.Fixed parsing extension inputs with backslash line continuation.
Improved workflow examples
Updated OS release mappings for newer Ubuntu releases.
Updated internal workflows for Codecov v6 and NPM trusted publishing.
Updated Node.js dependencies.
Fixed composer version in README. (#1081)
Thanks @Pyker for the contribution
For the complete list of changes, please refer to the Full Changelog
Follow for updates
Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.