This article provides information on the composer plugin released for the Dependency Confusion attacks and recommendations on avoiding the error. Composer plugin was introduced alongside Adobe Commerce 2.4.3 release to protect Adobe Commerce merchants from Dependency Confusion attacks.
A potential case of an active Dependency Confusion attack is detected through at least one of the direct or indirect dependencies defined in
composer.json by the composer plugin
magento/composer-dependency-version-audit-plugin during composer installation/update.
Steps to reproduce:
When you install/update composer, the composer plugin will stop the process if it detects a potential Dependency Confusion attack. In that case, composer install/update will fail with an error message similar to:
Higher matching version x.x.x of package/name was found in public repository packagist.org than x.x.x in private.repo. Public package might've been taken over by a malicious entity; please investigate and update package requirement to match the version from the private repository.
Dependency Confusion attack allows to remotely execute arbitrary code on a server by tricking a dependency manager (for instance, PHP’s Composer) into downloading a malicious package from a public source instead of the original package from a private repository.
Such an attack may even go undetected if an attacker is able to maintain the original package’s functionality.
Attackers can exploit this vulnerability if a package is only available through private repositories, but is not registered in the public one. The attacker then uploads a package with the same name to the public repository and gives it a higher version than the one available privately. The dependency manager will then compare versions of both privately and publicly available packages and will choose the highest one from the public repository. The malicious code downloaded by the dependency manager will then be executed with the same privileges as the application’s code.