Critical severity9.8CISA KEVNVD Advisory· Published Jun 27, 2017· Updated Apr 21, 2026

CVE-2017-9841

Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpunit/phpunitPackagist	>= 4.8.19, < 4.8.28	4.8.28
phpunit/phpunitPackagist	>= 5.0.10, < 5.6.3	5.6.3

Affected products

Oracle Corporation/Communications Diameter Signaling Router
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Range: >=8.0.0,<=8.5.0
Phpunit Project/Phpunit
cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:*:*:*
Range: <=4.8.27

Patches

284a69fb88a2

Correct fix for #1956

https://github.com/sebastianbergmann/phpunitBob WeinandNov 13, 2016via ghsa

commit

2 files changed · +2 −2

src/Util/PHP/eval-stdin.php+1 −1 modified

@@ -1,3 +1,3 @@
 <?php
 
-eval('?>' . file_get_contents('php://input'));
+eval('?>' . file_get_contents('php://stdin'));

src/Util/PHP/Template/TestCaseMethod.tpl.dist+1 −1 modified

@@ -55,7 +55,7 @@ function __phpunit_run_isolated_test()
         $output = $test->getActualOutput();
     }
 
-    rewind(STDOUT);
+    @rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */
     if ($stdout = stream_get_contents(STDOUT)) {
         $output = $stdout . $output;
     }

a9de0dbafeb6

https://github.com/sebastianbergmann/phpunitvia osv

3aaddb1c5bd9

Fix insulated tests with phpdbg

https://github.com/sebastianbergmann/phpunitNicolas GrekasNov 17, 2015via ghsa

commit

2 files changed · +9 −1

src/Util/PHP/Default.php+6 −1 modified

@@ -30,9 +30,14 @@ class PHPUnit_Util_PHP_Default extends PHPUnit_Util_PHP
     public function runJob($job, array $settings = array())
     {
         $runtime = new Runtime;
+        $runtime = $runtime->getBinary() . $this->settingsToParameters($settings);
+
+        if ('phpdbg' === PHP_SAPI) {
+            $runtime .= ' -qrr '.escapeshellarg(__DIR__ . '/eval-stdin.php');
+        }
 
         $process = proc_open(
-            $runtime->getBinary() . $this->settingsToParameters($settings),
+            $runtime,
             array(
             0 => array('pipe', 'r'),
             1 => array('pipe', 'w'),

src/Util/PHP/eval-stdin.php+3 −0 added

@@ -0,0 +1,3 @@
+<?php
+
+eval('?>'.file_get_contents('php://input'));

d3fbbc4d6f6f

https://github.com/sebastianbergmann/phpunitvia nvd-ref

PR #1956

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5nvdPatchThird Party AdvisoryWEB
github.com/sebastianbergmann/phpunit/pull/1956nvdPatchThird Party AdvisoryWEB
www.oracle.com/security-alerts/cpuoct2021.htmlnvdPatchThird Party AdvisoryWEB
web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/nvdThird Party Advisory
github.com/advisories/GHSA-r7c9-c69m-rph8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-9841ghsaADVISORY
security.gentoo.org/glsa/201711-15nvdThird Party AdvisoryWEB
web.archive.org/web/20170701212357/http://phpunit.vulnbusters.comghsaWEB
www.securityfocus.com/bid/101798nvdBroken LinkWEB
www.securitytracker.com/id/1039812nvdBroken LinkWEB
github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2017-9841.yamlghsaWEB
github.com/sebastianbergmann/phpunit/commit/3aaddb1c5bd9b9b8d070b4cf120e71c36fd08412ghsaWEB
github.com/sebastianbergmann/phpunit/pull/1955ghsaWEB
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.075
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.000