Upgrade to at least version 4.8.28 or 5.6.3 . The patch replaced php://input with php://stdin , which cannot be accessed via web requests.
Critical (CVSS 9.8) Affected versions: PHPUnit ≤ 4.8.28 and ≤ 5.6.3 Fixed in: PHPUnit 4.8.28, 5.6.3, and later
The vulnerability allows an attacker to execute arbitrary code on the server by crafting a malicious payload and sending it to the eval-stdin.php script. This can lead to a complete compromise of the server, including data theft, unauthorized access, and even a full system takeover. vendor phpunit phpunit src util php eval-stdin.php cve
The original code used a dangerous combination of functions: eval('?> ' . file_get_contents('php://input')); Use code with caution. Copied to clipboard
: The file eval-stdin.php used the eval() function to process raw POST data via the php://input wrapper. Upgrade to at least version 4
The vulnerability is located in the file path: vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php .
: This stream allows a script to read raw data from the body of an HTTP POST request. This can lead to a complete compromise of
This includes all 5.x releases prior to 5.6.3. The issue was first introduced in version 4.8.19 (and 5.0.10) and remained present up to the patched releases. Patched versions include .
If the file is accessible at: