DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24765: The CI/CD Trojan Horse: Inside PHPUnit's Unsafe Deserialization

#security #cve #cybersecurity

The CI/CD Trojan Horse: Inside PHPUnit's Unsafe Deserialization

Vulnerability ID: CVE-2026-24765
CVSS Score: 7.8
Published: 2026-01-27

A critical insecure deserialization vulnerability in PHPUnit's PHPT test runner allows local attackers to achieve Remote Code Execution (RCE) by crafting malicious coverage files. This flaw is particularly dangerous in CI/CD environments, where it can be leveraged to compromise build pipelines via malicious Pull Requests.

TL;DR

PHPUnit's PHPT runner blindly unserialized content from .coverage files without validating the class structure. By placing a malicious file in the test directory (e.g., via a Pull Request), an attacker can trigger a PHP gadget chain when the test runner executes, leading to RCE. This was fixed in versions 8.5.52, 9.6.34, 10.5.63, 11.5.50, and 12.5.8 by validating file existence before execution and whitelisting allowed classes during deserialization.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502
  • Attack Vector: Local (File System)
  • CVSS Score: 7.8 (High)
  • CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact: Remote Code Execution (RCE)
  • Context: CI/CD Pipelines / PHPT Testing

Affected Systems

  • PHPUnit 8.x < 8.5.52
  • PHPUnit 9.x < 9.6.34
  • PHPUnit 10.x < 10.5.63
  • PHPUnit 11.x < 11.5.50
  • PHPUnit 12.x < 12.5.8
  • phpunit: < 8.5.52 (Fixed in: 8.5.52)
  • phpunit: >= 9.0.0, < 9.6.34 (Fixed in: 9.6.34)
  • phpunit: >= 10.0.0, < 10.5.63 (Fixed in: 10.5.63)

Code Analysis

Commit: 3141742

Initial security fix implementing fail-fast check and serialization hardening

- $coverage = @unserialize($buffer);
+ $coverage = @unserialize($buffer, ['allowed_classes' => false]);
Enter fullscreen mode Exit fullscreen mode

Commit: b36f023

Regression fix enabling RawCodeCoverageData deserialization

+ 'allowed_classes' => [RawCodeCoverageData::class],
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal: Exploitable via placing a serialized object in a .coverage file and running PHPUnit with coverage enabled.

Mitigation Strategies

  • Upgrade PHPUnit to patched versions immediately.
  • Implement strict workspace cleaning in CI pipelines before test execution.
  • Monitor CI logs for CodeCoverageFileExistsException or unexpected deserialization errors.

Remediation Steps:

  1. Run composer update phpunit/phpunit to fetch the latest patch version.
  2. Verify the installed version using composer show phpunit/phpunit.
  3. Review CI/CD configurations to ensure ephemeral runners are used (destroyed after use).

References

Read the full report for CVE-2026-24765 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)