Listen to this Post
How CVE-2026-24765 works:
PHPUnit forwards PHP INI settings to isolated child processes using `-d name=value` command-line arguments without sanitizing INI metacharacters. The PHP INI parser treats `”` as a string delimiter, `;` as comment start, and newline `\n` as a directive separator. An attacker who controls a single INI value (e.g., via `phpunit.xml, inherited ini_get_all(), or environment) can embed a newline followed by arbitrary INI directives. For example, injecting `\nauto_prepend_file=/tmp/evil.php` causes the child process to load and execute that file as PHP code. This yields remote code execution in the child process. The attack is especially dangerous in CI/CD pipelines where an untrusted pull request modifies `phpunit.xml` with a value containing newline and malicious directives. The malicious newline is invisible in normal diffs, enabling Poisoned Pipeline Execution (PPE). The vulnerable component is PHPUnit\Util\PHP\JobRunner::settingsToParameters(). Patches reject any value containing `\n` or `\r` with an explicit exception, and quote remaining `”` and `;` characters. Workarounds include auditing all INI values, isolating CI runners, and restricting write access to phpunit.xml.
DailyCVE form:
Platform: PHPUnit
Version: <=10.5.37, <=11.5.15
Vulnerability: INI injection
Severity: Critical
date: 2026-04-18
Prediction: Patch 2026-04-20
Analytics under What Undercode Say:
Detect newline injection in phpunit.xml
grep -P '<ini.value=".[\n\r]."' phpunit.xml
Simulate the vulnerable parameter building
php -r "var_dump(escapeshellarg('-d auto_prepend_file=test\nopen_basedir=/tmp'));"
Monitor child process arguments
strace -f -e execve phpunit --configuration poc.xml
Exploit:
<!-- phpunit.xml with malicious INI value --> <phpunit> <ini name="error_reporting" value="E_ALL\nauto_prepend_file=/tmp/evil.php"/> </phpunit>
// /tmp/evil.php - RCE payload
<?php system('id'); ?>
Trigger: `phpunit –configuration poc.xml` → child process executes id.
Protection from this CVE:
– Upgrade to PHPUnit ≥10.5.38 or ≥11.5.16.
– Reject any INI value containing newline or carriage return in code review.
– Run CI on untrusted PRs in ephemeral containers with no persistent secrets.
– Set `security.limit_extensions` and disable `auto_prepend_file` globally.
– Use `php -d` validation script to scan `phpunit.xml` for dangerous characters.
Impact:
Remote code execution in PHPUnit child processes. Attackers can hijack isolated test runners, read/write arbitrary files, disable security functions, and escape open_basedir. Full compromise of CI/CD pipeline secrets and source code. CVSS 9.8 (Critical).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

