{"url":"http://public2.vulnerablecode.io/api/packages/72421?format=json","purl":"pkg:composer/phpunit/phpunit@11.0.0","type":"composer","namespace":"phpunit","name":"phpunit","version":"11.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.8.28","latest_non_vulnerable_version":"12.5.8","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22265?format=json","vulnerability_id":"VCID-xred-w2m8-wbgw","summary":"PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling\n### Overview\n\nA vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test.\n\n### Technical Details\n\n**Affected Component:** PHPT test runner, method `cleanupForCoverage()`\n**Affected Versions:** <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7\n\n### Vulnerable Code Pattern\n\n```php\nif ($buffer !== false) {\n    // Unsafe call without restrictions\n    $coverage = @unserialize($buffer);\n}\n```\n\nThe vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.\n\n### Attack Prerequisites and Constraints\n\nThis vulnerability requires **local file write access** to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:\n\n* **CI/CD Pipeline Attacks:** A malicious pull request that places a `.coverage` file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information\n* **Local Development Environment:** An attacker with shell access or ability to write files to the project directory\n* **Compromised Dependencies:** A supply chain attack inserting malicious files into a package or monorepo","references":[{"reference_url":"https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/commit/613d142f5a8471ca71623ce5ca2795f79248329e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/commit/613d142f5a8471ca71623ce5ca2795f79248329e"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html"},{"reference_url":"https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution","reference_id":"","reference_type":"","scores":[],"url":"https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24765","reference_id":"CVE-2026-24765","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24765"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-24765.yaml","reference_id":"CVE-2026-24765.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-24765.yaml"},{"reference_url":"https://github.com/advisories/GHSA-vvj3-c3rp-c85p","reference_id":"GHSA-vvj3-c3rp-c85p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vvj3-c3rp-c85p"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p","reference_id":"GHSA-vvj3-c3rp-c85p","reference_type":"","scores":[],"url":"https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72426?format=json","purl":"pkg:composer/phpunit/phpunit@11.5.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@11.5.50"},{"url":"http://public2.vulnerablecode.io/api/packages/72427?format=json","purl":"pkg:composer/phpunit/phpunit@12.5.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@12.5.8"}],"aliases":["CVE-2026-24765","GHSA-vvj3-c3rp-c85p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xred-w2m8-wbgw"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@11.0.0"}