Description
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
Published: 2026-01-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in PHPUnit allows an attacker who can write to the file system to place a malicious serialized object in a hidden ".coverage" file that is automatically deserialized during PHPT test execution. When code coverage instrumentation is enabled, the deserialization call in the cleanupForCoverage() method fails to restrict the classes that can be instantiated, triggering any “'__wakeup'” logic defined in the object. This flaw can lead to arbitrary code execution in the context of the test runner, potentially allowing the attacker to run malicious code, modify artifacts, or exfiltrate data. The impact is severe because any environment that runs PHPUnit tests with coverage enabled becomes vulnerable if it permits writes to the coverage directory.

Affected Systems

The affected products are PHP Unit testing framework versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52. The vendor is Sebastian Bergmann, the primary maintainer of PHPUnit. The issue is relevant to all installations that use PHPT test execution and enable code coverage, as the flaw resides in the cleanupForCoverage() method that processes coverage files. The fix is delivered in the releases 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52, which now raise an explicit error when a pre‑existing ".coverage" file is found.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS score of less than 1% suggests the flaw is unlikely to be widely exploited at this time. The vulnerability is not listed in the CISA KEV catalog, further implying a lower current exploitation risk. However, exploitation requires the attacker to have write access to the local file system used by PHPUnit to store coverage data. In CI/CD pipelines or shared development environments, gaining such access can be achieved through compromised dependencies or misconfigured runners, enabling the attacker to trigger arbitrary code execution during test runs. The most probable attack vector therefore involves a trusted CI/CD pipeline that has write access to the workspace, combined with code coverage turned on.

Generated by OpenCVE AI on April 18, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official PHPUnit releases – 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 – to eliminate the unsafe deserialization path.
  • If an upgrade is not immediately possible, disable code coverage instrumentation for PHPT tests or remove any pre‑existing ".coverage" files from the test run directory before execution.
  • Enforce strict file‑system permissions on the directory where PHPUnit stores coverage data, limiting write access to only those processes that require it, and isolate CI/CD runners or use disposable workers to prevent persistent file‑system exposure.

Generated by OpenCVE AI on April 18, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4470-1 phpunit security update
Github GHSA Github GHSA GHSA-vvj3-c3rp-c85p PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
History

Tue, 03 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
Phpunit Project
Phpunit Project phpunit
CPEs cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:-:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux
Phpunit Project
Phpunit Project phpunit

Fri, 06 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
References

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Sebastianbergmann
Sebastianbergmann phpunit
Vendors & Products Sebastianbergmann
Sebastianbergmann phpunit

Wed, 28 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 27 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
Title PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Debian Debian Linux
Phpunit Project Phpunit
Sebastianbergmann Phpunit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T12:09:45.308Z

Reserved: 2026-01-26T21:06:47.867Z

Link: CVE-2026-24765

cve-icon Vulnrichment

Updated: 2026-02-06T12:09:45.308Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T22:15:56.790

Modified: 2026-03-03T15:25:01.720

Link: CVE-2026-24765

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-27T21:35:54Z

Links: CVE-2026-24765 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses