—

Why it Matters

Extensions often bring in additional libraries through Composer dependencies. A Magento module may look safe, but one of its nested (transitive) dependencies can carry a known CVE. These hidden vulnerabilities are easy to miss if you only check top-level packages.

Flagging CVEs in transitive dependencies ensures that security checks cover the full supply chain. Attackers often target popular PHP libraries used indirectly, because store owners forget to patch them.

Verification Steps

# Show dependency graph
composer show -t

# Run osv-scanner on the lockfile (includes transitive deps)
osv-scanner --lockfile=./composer.lock

# Expected: any CVEs found in transitive libraries are reported

Remediation / Fix Guidance

1. Run vulnerability scans on composer.lock, not just composer.json.
2. If a transitive dependency is vulnerable:
   • Upgrade the parent extension to a version that pulls the patched library.
   • If no upgrade is available, override the dependency version in composer.json with a safe version.
   • Contact the vendor to request a patch if needed.
3. Retest and deploy after ensuring the dependency tree is clean.
4. Integrate automated scans in CI/CD so regressions are caught early.

Examples

# osv-scanner result
vendor/extension 1.0.0
└── symfony/http-foundation 4.4.0
CVE-2023-12345: Header injection
# Extension looks safe but pulls vulnerable library → FAIL

# osv-scanner result
vendor/extension 1.0.1
└── symfony/http-foundation 4.4.55
# Patched version installed, no CVEs found → PASS

References

• OWASP Top 10 — A06: Vulnerable & Outdated Components
• OSV — Open Source Vulnerabilities
• OWASP Dependency-Check