High severity7.7OSV Advisory· Published Aug 11, 2021· Updated Jun 17, 2026
CVE-2021-23420
CVE-2021-23420
Description
This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codeception/codeceptionPackagist | < 3.1.3 | 3.1.3 |
codeception/codeceptionPackagist | >= 4.0.0, < 4.1.22 | 4.1.22 |
Affected products
2- Range: 1.0.1, 1.0.10, 1.0.11, …
Patches
Vulnerability mechanics
References
10- github.com/Codeception/Codeception/pull/6241nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-4574-qv3w-fcmgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23420ghsaADVISORY
- snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585nvdThird Party AdvisoryWEB
- github.com/Codeception/Codeception/blob/4.1/CHANGELOG-4.x.mdghsaWEB
- github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.phpghsaWEB
- github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php%23L52nvdBroken Link
- github.com/Codeception/Codeception/commit/802a108057d250ee563120eaa5365a519afc0a71ghsaWEB
- github.com/Codeception/Codeception/commit/cbce9ea7f4664052fa1ac6b36f5b5a6dbd864d71ghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/codeception/codeception/CVE-2021-23420.yamlghsaWEB
News mentions
0No linked articles in our index yet.