Critical severityOSV Advisory· Published Aug 11, 2021· Updated Sep 16, 2024
Deserialization of Untrusted Data
CVE-2021-23420
Description
This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codeception/codeceptionPackagist | < 3.1.3 | 3.1.3 |
codeception/codeceptionPackagist | >= 4.0.0, < 4.1.22 | 4.1.22 |
Affected products
1- Range: 1.0.1, 1.0.10, 1.0.11, …
Patches
2802a108057d2Security: Disable deserialization of RunProcess class (#6241)
1 file changed · +22 −0
ext/RunProcess.php+22 −0 modified@@ -102,4 +102,26 @@ public function stopProcess() } $this->processes = []; } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize ' . __CLASS__); + } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__); + } }
cbce9ea7f466Security: Disable deserialization of RunProcess class (#6241)
1 file changed · +22 −0
ext/RunProcess.php+22 −0 modified@@ -107,4 +107,26 @@ public function stopProcess() } $this->processes = []; } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize ' . __CLASS__); + } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-4574-qv3w-fcmgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23420ghsaADVISORY
- github.com/Codeception/Codeception/blob/4.1/CHANGELOG-4.x.mdghsaWEB
- github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.phpghsaWEB
- github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php%23L52mitrex_refsource_MISC
- github.com/Codeception/Codeception/commit/802a108057d250ee563120eaa5365a519afc0a71ghsaWEB
- github.com/Codeception/Codeception/commit/cbce9ea7f4664052fa1ac6b36f5b5a6dbd864d71ghsaWEB
- github.com/Codeception/Codeception/pull/6241ghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/codeception/codeception/CVE-2021-23420.yamlghsaWEB
- snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.