DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QRR6-MG7R-M243: GHSA-QRR6-MG7R-M243: Argument Injection and Remote Code Execution in PHPUnit JobRunner

#security #cve #cybersecurity #ghsa

GHSA-QRR6-MG7R-M243: Argument Injection and Remote Code Execution in PHPUnit JobRunner

Vulnerability ID: GHSA-QRR6-MG7R-M243
CVSS Score: 7.8
Published: 2026-04-18

An argument injection vulnerability exists in PHPUnit's JobRunner component due to improper neutralization of metacharacters in PHP INI configuration values. This flaw allows an attacker to inject arbitrary INI directives during process forking, potentially leading to remote code execution within the context of continuous integration environments or testing workers.

TL;DR

PHPUnit versions prior to 13.1.6 fail to properly escape INI settings passed to child processes via the command line. Attackers who control configuration values can inject newlines to execute arbitrary files via injected INI directives.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-88 (Argument Injection or Modification)
  • Attack Vector: Local / CI Configuration
  • CVSS Score: 7.8 (High)
  • Exploit Status: Proof of Concept available
  • Impact: Remote Code Execution
  • Affected Component: phpunit/phpunit (JobRunner)

Affected Systems

  • PHPUnit JobRunner Component
  • Continuous Integration Pipelines executing PHPUnit
  • Automated Testing Workers with process isolation enabled
  • PHPUnit 13: < 13.1.6 (Fixed in: 13.1.6)
  • PHPUnit 12: < 12.x
  • PHPUnit 11: < 11.x

Mitigation Strategies

  • Upgrade PHPUnit to a secure version (13.1.6 or higher).
  • Implement strict code review requirements for modifications to phpunit.xml.
  • Enforce least-privilege principles for CI/CD runners and ephemeral build containers.
  • Integrate SAST tooling to scan for vulnerable composer.lock dependencies.
  • Sanitize environment variables injected into the CI pipeline.

Remediation Steps:

  1. Identify all projects utilizing phpunit/phpunit via dependency analysis tools.
  2. Update the composer.json file to require phpunit/phpunit ^13.1.6.
  3. Execute composer update phpunit/phpunit to fetch the patched version.
  4. Commit the updated composer.lock file to the repository.
  5. Verify the pipeline execution to ensure compatibility with the updated testing framework.

Read the full report for GHSA-QRR6-MG7R-M243 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)