[HIGH] Missing argument delimiter can lead to command execution via VCS repository URLs or source download URLs on systems with Mercurial

PKSA-9p8h-97x3-qxpm CVE-2021-29472 GHSA-h5h8-pc6h-jvvx

Affected package: composer/composer

Affected version: >=2.0.0-alpha1,<2.0.13|<1.10.22

Reported by:
FriendsOfPHP/security-advisories, GitHub