Description
PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In PHPUnit versions 12.5.21 and 13.1.5 the framework forwards PHP INI settings to child processes as raw command‑line arguments without neutralizing metacharacters, a flaw exemplified by CWE‑88 and CWE‑93. Because PHP treats a newline as a separator between INI directives, an attacker who can influence a single INI value can inject arbitrary directives such as auto_prepend_file, extension, and disable_functions. By setting auto_prepend_file to a path under the attacker's control, the attacker can execute code in the isolated test process, resulting in remote code execution.

Affected Systems

The affected products are PHPUnit supplied by sebastianbergmann. The specific vulnerable releases are 12.5.21 and 13.1.5. All installations running these exact versions are susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating high severity, and is not present in the CISA KEV list. No EPSS value is available, but the risk of exploitation remains significant because the attack requires the ability to supply a malicious INI value that is then forwarded to a child process. The potential for remote code execution is direct and can be achieved if an attacker can influence any PHP INI setting used by PHPUnit tests.

Generated by OpenCVE AI on May 8, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PHPUnit to version 12.5.22 or newer, or 13.1.6 or newer, which corrects the INI forwarding logic.
  • Disallow or sanitize any PHP INI values passed to child processes by configuring PHPUnit to not forward user‑controllable settings.
  • If an update is not yet possible, remove or restrict the auto_prepend_file, extension, disable_functions, and open_basedir directives from the vulnerable INI values before they are forwarded to child processes.

Generated by OpenCVE AI on May 8, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qrr6-mg7r-m243 PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
History

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpunit Project
Phpunit Project phpunit
CPEs cpe:2.3:a:phpunit_project:phpunit:12.5.21:*:*:*:*:-:*:*
cpe:2.3:a:phpunit_project:phpunit:13.1.5:*:*:*:*:-:*:*
Vendors & Products Phpunit Project
Phpunit Project phpunit

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sebastianbergmann
Sebastianbergmann phpunit
Vendors & Products Sebastianbergmann
Sebastianbergmann phpunit

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.
Title PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes
Weaknesses CWE-88
CWE-93
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Phpunit Project Phpunit
Sebastianbergmann Phpunit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T16:01:51.929Z

Reserved: 2026-04-21T14:15:21.957Z

Link: CVE-2026-41570

cve-icon Vulnrichment

Updated: 2026-05-08T16:01:48.319Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:40.420

Modified: 2026-05-08T19:45:25.910

Link: CVE-2026-41570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T16:45:13Z

Weaknesses