Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/898411?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/898411?format=api", "purl": "pkg:composer/phpunit/phpunit@8.4.2", "type": "composer", "namespace": "phpunit", "name": "phpunit", "version": "8.4.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.5.52", "latest_non_vulnerable_version": "13.1.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20626?format=api", "vulnerability_id": "VCID-6bt7-kw89-v3dt", "summary": "PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling\n### Overview\n\nA vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test.\n\n### Technical Details\n\n**Affected Component:** PHPT test runner, method `cleanupForCoverage()`\n**Affected Versions:** <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7\n\n### Vulnerable Code Pattern\n\n```php\nif ($buffer !== false) {\n // Unsafe call without restrictions\n $coverage = @unserialize($buffer);\n}\n```\n\nThe vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.\n\n### Attack Prerequisites and Constraints\n\nThis vulnerability requires **local file write access** to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:\n\n* **CI/CD Pipeline Attacks:** A malicious pull request that places a `.coverage` file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information\n* **Local Development Environment:** An attacker with shell access or ability to write files to the project directory\n* **Compromised Dependencies:** A supply chain attack inserting malicious files into a package or monorepo\n\n**Critical Context:** Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of [Poisoned Pipeline Execution (PPE) attacks](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution) affecting CI/CD systems.\n\n### Proposed Remediation Approach\n\nRather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition.\n\n#### Rationale for Error-Based Approach:\n\n1. **Visibility Over Silence:** When an invariant is violated (a `.coverage` file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input\n2. **Operational Security:** A `.coverage` file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:\n * A malicious actor placed it intentionally\n * Build artifacts from a previous run contaminated the environment\n * An unexpected filesystem state requiring investigation\n3. **Defense-in-Depth Principle:** Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:\n * Isolate CI/CD runners (ephemeral, containerized environments)\n * Restrict code execution on protected branches\n * Scan pull requests and artifacts for tampering\n * Use branch protection rules to prevent unreviewed code execution\n\n### Severity Classification\n\n* **Attack Vector (AV):** Local (L) — requires write access to the file system where tests execute\n* **Attack Complexity (AC):** Low (L) — exploitation is straightforward once the malicious file is placed\n* **Privileges Required (PR):** Low (L) — PR submitter status or contributor role provides sufficient access\n* **User Interaction (UI):** None (N) — automatic execution during standard test execution\n* **Scope (S):** Unchanged (U) — impact remains within the affected test execution context\n* **Confidentiality Impact (C):** High (H) — full remote code execution enables complete system compromise\n* **Integrity Impact (I):** High (H) — arbitrary code execution allows malicious modifications\n* **Availability Impact (A):** High (H) — full code execution permits denial-of-service actions\n\n### Mitigating Factors (Environmental Context)\n\nOrganizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:\n\n* **Ephemeral Runners:** Use containerized, single-use CI/CD runners that discard filesystem state between runs\n* **Code Review Enforcement:** Require human review and approval before executing code from pull requests\n* **Branch Protection:** Enforce branch protection rules that block unreviewed code execution\n* **Artifact Isolation:** Separate build artifacts from source; never reuse artifacts across independent builds\n* **Access Control:** Limit file write permissions in CI environments to authenticated, trusted actors\n\n### Fixed Behaviour\n\nWhen a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:\n\n* **Visibility:** The error appears prominently in CI/CD output and test logs\n* **Investigation:** Operations teams can investigate the root cause (potential tampering, environment contamination)\n* **Fail-Fast Semantics:** Test execution stops rather than proceeding with an unexpected state\n\n### Recommendation\n\n**Update to the patched version immediately** if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:\n\n* Pull requests from forks or untrusted sources execute in isolated environments\n* Branch protection rules require human review before code execution\n* CI/CD runners are ephemeral and discarded after each build\n* Build artifacts are not reused across independent runs without validation", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24765.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24765.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24765", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28853", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28803", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31422", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31454", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31476", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31441", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31478", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.3152", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31516", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31487", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31434", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31504", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31632", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.3142", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24765" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24765", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24765" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sebastianbergmann/phpunit" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:13:53Z/" } ], "url": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/commit/613d142f5a8471ca71623ce5ca2795f79248329e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sebastianbergmann/phpunit/commit/613d142f5a8471ca71623ce5ca2795f79248329e" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:13:53Z/" } ], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:13:53Z/" } ], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:13:53Z/" } ], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:13:53Z/" } ], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:13:53Z/" } ], "url": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33" }, { "reference_url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:13:53Z/" } ], "url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24765", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24765" }, { "reference_url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433606", "reference_id": "2433606", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433606" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-24765.yaml", "reference_id": "CVE-2026-24765.YAML", "reference_type": "", "scores": [], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-24765.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-vvj3-c3rp-c85p", "reference_id": "GHSA-vvj3-c3rp-c85p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vvj3-c3rp-c85p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62273?format=api", "purl": "pkg:composer/phpunit/phpunit@8.5.52", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@8.5.52" }, { "url": "http://public2.vulnerablecode.io/api/packages/62275?format=api", "purl": "pkg:composer/phpunit/phpunit@9.6.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@9.6.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62276?format=api", "purl": "pkg:composer/phpunit/phpunit@10.5.62", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@10.5.62" }, { "url": "http://public2.vulnerablecode.io/api/packages/62278?format=api", "purl": "pkg:composer/phpunit/phpunit@11.5.50", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@11.5.50" }, { "url": "http://public2.vulnerablecode.io/api/packages/62279?format=api", "purl": "pkg:composer/phpunit/phpunit@12.5.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@12.5.8" } ], "aliases": [ "CVE-2026-24765", "GHSA-vvj3-c3rp-c85p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6bt7-kw89-v3dt" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@8.4.2" }