Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve Jun 2026

| Attribute | Details | | -------------------- | ------------------------------------------------------------- | | | CVE-2017-9841 | | CVSS Score | 9.8 (Critical) | | Vulnerable Files | src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST request to exposed PHPUnit file | | Affected Versions | PHPUnit < 4.8.28 and 5.x < 5.6.3 | | Patched Versions | 4.8.28, 5.6.3, 6.x, and all later releases | | Primary Cause | Insecure use of eval() on user-supplied input | | CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') | | Exploitation | Trivial; public exploits available | | Mitigation | Upgrade PHPUnit, remove from production, block /vendor/ access |

eval('?>' . file_get_contents('php://stdin')); vendor phpunit phpunit src util php eval-stdin.php cve

The file path vendor/phpunit/phpunit/src/util/php/eval-stdin.php refers to a utility script included in PHPUnit, a widely used testing framework for PHP. In versions prior to 5.6.3, this file contained a security vulnerability (CVE-2017-9841) that allows Remote Code Execution (RCE). | Attribute | Details | | -------------------- |

You should never have the vendor folder exposed to the public. Moreover, development tools should not be in production. You should never have the vendor folder exposed

This file is part of PHPUnit's internal structure and was never intended to be a public-facing web script. Its function is to receive code over php://stdin and execute it with eval() —a necessity for PHPUnit's own internal processes, but catastrophic if done on a web server.

: The file eval-stdin.php used the eval() function to process raw POST data via the php://input wrapper.