Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve Jun 2026

Even if PHPUnit remains, prevent external access to it.

| Attribute | Details | | -------------------- | ------------------------------------------------------------- | | | CVE-2017-9841 | | CVSS Score | 9.8 (Critical) | | Vulnerable Files | src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST request to exposed PHPUnit file | | Affected Versions | PHPUnit < 4.8.28 and 5.x < 5.6.3 | | Patched Versions | 4.8.28, 5.6.3, 6.x, and all later releases | | Primary Cause | Insecure use of eval() on user-supplied input | | CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') | | Exploitation | Trivial; public exploits available | | Mitigation | Upgrade PHPUnit, remove from production, block /vendor/ access |

Marta had been awake too long, chasing a redacted error through the twilight of an old repository. The project’s tests had started failing after a hurried “maintenance” commit made by someone who left the company two winters ago. The culprit looked like a tiny, forgotten utility: eval-stdin.php — a file named like an afterthought, tucked under util/. It took input from stdin, evaluated it, and returned results. No one on the team remembered why it existed. No tests covered it. It blossomed suspicion in Marta’s mind like mildew in an unused attic.

CVE-2017-9841 is a high-severity 9.8 Critical Remote Code Execution (RCE) vulnerability in PHPUnit , a popular testing framework for PHP applications. Despite being years old, it remains a frequent target for automated scanners and botnets because it targets misconfigured production environments where development tools are accidentally exposed. The Core Flaw: eval-stdin.php vendor phpunit phpunit src util php eval-stdin.php cve

<?php system('id'); ?>

This file was designed to assist PHPUnit in executing test code internally. However, when inadvertently exposed to the public web, it becomes a weapon for attackers.

She thought of the CVE that would be written for it: short, clinical lines about remote code execution and severity scores. She could see the headlines already, the security teams’ red banners, the midnight patches and the mandatory postmortems. But before the bureaucracy, there was a chance to do the human thing: fix it quietly, teach the team, and prevent the chaos. Even if PHPUnit remains, prevent external access to it

The file vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php is a perfect storm: a unit testing utility, a missing --no-dev flag, and a web-accessible vendor directory. CVE-2017-9841 turned two lines of code into a universal RCE gadget for hundreds of thousands of applications.

Many automated scanners, such as the PHPUnit Go Scanner, check dozens of possible paths where eval-stdin.php might be located. After confirming a vulnerable target, the attacker can execute system commands to compromise the server further.

“Yes,” Marta replied. “And add a test that it isn’t shipped.” The culprit looked like a tiny, forgotten utility:

Prevent direct access to any script inside vendor/ :

The vulnerable file in question is: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php