| summary |
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
### Overview
A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test.
### Technical Details
**Affected Component:** PHPT test runner, method `cleanupForCoverage()`
**Affected Versions:** <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7
### Vulnerable Code Pattern
```php
if ($buffer !== false) {
// Unsafe call without restrictions
$coverage = @unserialize($buffer);
}
```
The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.
### Attack Prerequisites and Constraints
This vulnerability requires **local file write access** to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:
* **CI/CD Pipeline Attacks:** A malicious pull request that places a `.coverage` file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
* **Local Development Environment:** An attacker with shell access or ability to write files to the project directory
* **Compromised Dependencies:** A supply chain attack inserting malicious files into a package or monorepo |