Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit Instant

(and the entire PHPUnit development dependency from production):

Script kiddies and botnets don't check version numbers. They blindly spray payloads at this endpoint. Even if the PHPUnit version is patched, if the file exists, they will attempt the exploit.

curl -X POST https://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \ -d "<?php system('id'); ?>" vendor phpunit phpunit src util php eval-stdin.php exploit

The attacker needs to have access to a server that uses a vulnerable version of PHPUnit and can reach the eval-stdin.php file through a web request or other means.

In many shared hosting or poorly configured nginx/Apache setups, the web root points to the project root (where vendor/ lives) instead of a /public subdirectory. This exposes every vendor file to the world. curl -X POST https://target

The web server returns the listing of the current directory to the attacker.

The vulnerability exists in the file vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php . The contents of the file in vulnerable versions are minimal and look roughly like this: The web server returns the listing of the

eval('?>' . file_get_contents('php://input'));

PHPUnit is the undisputed standard for testing PHP applications, found in almost every modern project's vendor/ directory. However, a significant security flaw found in older versions—specifically the —has continued to plague developers years after its discovery.

The eval() function evaluates the stream string as active PHP code.