rm -rf vendor/phpunit/
This includes all 5.x releases prior to 5.6.3. The issue was first introduced in version 4.8.19 (and 5.0.10) and remained present up to the patched releases. Patched versions include .
# 1. Remove the entire vendor directory rm -rf vendor/ vendor phpunit phpunit src util php eval-stdin.php cve
When the CVE eventually appeared in a coordinated advisory months later, it read cleanly and clinically about a debug helper that could lead to remote code execution if shipped. The score was high enough to ensure attention, low enough that no systems were harmed. The advisory included a recommended patch and a note of thanks to a nameless researcher who had disclosed it responsibly.
location /vendor/ deny all; return 403;
composer require --dev phpunit/phpunit:^9.0 # or specific patched versions: composer require --dev phpunit/phpunit:4.8.28 composer require --dev phpunit/phpunit:5.6.3
The problem lies in the vulnerable versions of PHPUnit where the eval-stdin.php file uses the php://input wrapper to read incoming data. The vulnerable code originally looked like: eval('?>'.file_get_contents('php://input')); rm -rf vendor/phpunit/ This includes all 5
PHPUnit is one of the most widely used testing frameworks for PHP, with over 100 million downloads. As a crucial component of the PHP ecosystem, ensuring its security is paramount. Recently, a critical vulnerability was discovered in PHPUnit, which allows attackers to execute arbitrary code on vulnerable systems. This article provides an in-depth analysis of the vulnerability, its impact, and steps to mitigate it.
The file was small: a handful of lines that read STDIN and eval’d it. It was meant as a convenience for debugging, a way to run snippets against the app’s runtime. In development, on a trusted machine, it could be a gentle godsend. Left in production, exposed behind a route or a composer bin stub, it was an invitation for disaster. The advisory included a recommended patch and a
Ironically, eval-stdin.php was not designed as a backdoor. It was a for PHPUnit’s own internal process isolation. When running tests that call exec() or external processes, PHPUnit used this script to evaluate small snippets of PHP code passed via standard input. The developer intended to use it exclusively from the command line.
The exploitation process is simple, involving just a few steps.