Note

web php deserialization composer classloader file-include rce

Deserialize a Composer ClassLoader with a controlled classMap so loadClass() becomes a precise file-include primitive.

Composer\Autoload\ClassLoader as an include Primitive

Composer's class loader is trusted application infrastructure. If you can deserialize and control its classMap, loadClass() becomes a precise file-include primitive. Unlike many include bugs, no suffix is appended if classMap already points to a complete path.

Why It Works

loadClass("CNF") includes whatever path classMap["CNF"] holds — a clean, suffix-free include.

Vulnerable Pattern

PHP object injection in an application that ships Composer and later invokes methods on a user-influenced ClassLoader object.

Exploit Flow

Place a PHP payload in a readable path first, even if stored under a non-.php name in a share directory.
Create a ClassLoader with classMap["CNF"] (or another chosen class name) pointing to that file.
Trigger the method path that eventually calls loadClass() for that class string.

Variations

findFile, autoload fallbacks, or class aliases if the exact gadget path differs.

Common Blockers

Composer internal property names are version-sensitive, and serialized private-property mangling must match.

PoC Sketch

$classMap["CNF"] = "/var/www/html/public/shared_notes/<uuid>/shared.mood.notes";
// make the gadget call loadClass("CNF")

Good Situations To Use It

You have PHP object injection and Composer is present.
You can write a PHP payload to a readable (non-.php) path.
A reachable gadget eventually calls loadClass().

Sources

fcsc2026/web/secure_mood_notes_2