Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/73633?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/73633?format=api", "purl": "pkg:composer/phpunit/phpunit@12.5.8", "type": "composer", "namespace": "phpunit", "name": "phpunit", "version": "12.5.8", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49855?format=api", "vulnerability_id": "VCID-kyq1-jkfe-yqc5", "summary": "PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling\n### Overview\n\nA vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test.\n\n### Technical Details\n\n**Affected Component:** PHPT test runner, method `cleanupForCoverage()`\n**Affected Versions:** <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7\n\n### Vulnerable Code Pattern\n\n```php\nif ($buffer !== false) {\n // Unsafe call without restrictions\n $coverage = @unserialize($buffer);\n}\n```\n\nThe vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.\n\n### Attack Prerequisites and Constraints\n\nThis vulnerability requires **local file write access** to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:\n\n* **CI/CD Pipeline Attacks:** A malicious pull request that places a `.coverage` file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information\n* **Local Development Environment:** An attacker with shell access or ability to write files to the project directory\n* **Compromised Dependencies:** A supply chain attack inserting malicious files into a package or monorepo", "references": [ { "reference_url": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/commit/613d142f5a8471ca71623ce5ca2795f79248329e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/commit/613d142f5a8471ca71623ce5ca2795f79248329e" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html" }, { "reference_url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution", "reference_id": "", "reference_type": "", "scores": [], "url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24765", "reference_id": "CVE-2026-24765", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24765" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-24765.yaml", "reference_id": "CVE-2026-24765.YAML", "reference_type": "", "scores": [], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-24765.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-vvj3-c3rp-c85p", "reference_id": "GHSA-vvj3-c3rp-c85p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vvj3-c3rp-c85p" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p", "reference_id": "GHSA-vvj3-c3rp-c85p", "reference_type": "", "scores": [], "url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73629?format=api", "purl": "pkg:composer/phpunit/phpunit@8.5.52", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@8.5.52" }, { "url": "http://public2.vulnerablecode.io/api/packages/73630?format=api", "purl": "pkg:composer/phpunit/phpunit@9.6.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@9.6.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/73631?format=api", "purl": "pkg:composer/phpunit/phpunit@10.5.62", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@10.5.62" }, { "url": "http://public2.vulnerablecode.io/api/packages/73632?format=api", "purl": "pkg:composer/phpunit/phpunit@11.5.50", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@11.5.50" }, { "url": "http://public2.vulnerablecode.io/api/packages/73633?format=api", "purl": "pkg:composer/phpunit/phpunit@12.5.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@12.5.8" } ], "aliases": [ "CVE-2026-24765", "GHSA-vvj3-c3rp-c85p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kyq1-jkfe-yqc5" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@12.5.8" }