PHPUnit, INI Injection, CVE-2026-24765 (Critical)

Listen to this Post

How CVE-2026-24765 works:

PHPUnit forwards PHP INI settings to isolated child processes using `-d name=value` command-line arguments without sanitizing INI metacharacters. The PHP INI parser treats `”` as a string delimiter, `;` as comment start, and newline `\n` as a directive separator. An attacker who controls a single INI value (e.g., via `` in phpunit.xml, inherited ini_get_all(), or environment) can embed a newline followed by arbitrary INI directives. For example, injecting `\nauto_prepend_file=/tmp/evil.php` causes the child process to load and execute that file as PHP code. This yields remote code execution in the child process. The attack is especially dangerous in CI/CD pipelines where an untrusted pull request modifies `phpunit.xml` with a value containing newline and malicious directives. The malicious newline is invisible in normal diffs, enabling Poisoned Pipeline Execution (PPE). The vulnerable component is PHPUnit\Util\PHP\JobRunner::settingsToParameters(). Patches reject any value containing `\n` or `\r` with an explicit exception, and quote remaining `”` and `;` characters. Workarounds include auditing all INI values, isolating CI runners, and restricting write access to phpunit.xml.

DailyCVE form:

Platform: PHPUnit
Version: <=10.5.37, <=11.5.15
Vulnerability: INI injection
Severity: Critical
date: 2026-04-18

Prediction: Patch 2026-04-20

Analytics under What Undercode Say:

Detect newline injection in phpunit.xml
grep -P '<ini.value=".[\n\r]."' phpunit.xml
Simulate the vulnerable parameter building
php -r "var_dump(escapeshellarg('-d auto_prepend_file=test\nopen_basedir=/tmp'));"
Monitor child process arguments
strace -f -e execve phpunit --configuration poc.xml

Exploit:

<!-- phpunit.xml with malicious INI value -->
<phpunit>
<ini name="error_reporting" value="E_ALL\nauto_prepend_file=/tmp/evil.php"/>
</phpunit>
// /tmp/evil.php - RCE payload
<?php system('id'); ?>

Trigger: `phpunit –configuration poc.xml` → child process executes id.

Protection from this CVE:

– Upgrade to PHPUnit ≥10.5.38 or ≥11.5.16.
– Reject any INI value containing newline or carriage return in code review.
– Run CI on untrusted PRs in ephemeral containers with no persistent secrets.
– Set `security.limit_extensions` and disable `auto_prepend_file` globally.
– Use `php -d` validation script to scan `phpunit.xml` for dangerous characters.

Impact:

Remote code execution in PHPUnit child processes. Attackers can hijack isolated test runners, read/write arbitrary files, disable security functions, and escape open_basedir. Full compromise of CI/CD pipeline secrets and source code. CVSS 9.8 (Critical).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top