This vulnerability affects PHPUnit versions before 4.8.28 and all 5.x versions before 5.6.3. It allows attackers to execute arbitrary PHP code on servers where PHPUnit is exposed. The issue exists in the eval-stdin.php file located in PHPUnit's Util/PHP directory. When this file is accessible (typically when the /vendor folder is exposed), attackers can send malicious HTTP POST requests containing PHP code starting with <?php to execute arbitrary commands on the server.
- Remote code execution on vulnerable servers
- Full server compromise if PHPUnit is exposed
- Particularly dangerous when /vendor directories are publicly accessible
- PHPUnit 4.x before 4.8.28
- PHPUnit 5.x before 5.6.3
- Upgrade PHPUnit to version 4.8.28 or 5.6.3 (or later)
- Ensure /vendor directories are not publicly accessible
- Remove or restrict access to eval-stdin.php if upgrade isn't immediately possible