PHPUnit, Unsafe Deserialization, CVE-XXXX-XXXX (Critical)

Listen to this Post

The vulnerability resides in the `cleanupForCoverage()` method of the PHPT test runner. When PHPUnit executes a PHPT test with code coverage enabled, it checks for a `.coverage` file in the test’s temporary directory after execution to aggregate results. The flaw is that this method unconditionally deserializes the file’s contents using `unserialize($buffer)` without the `allowed_classes` restriction. If an attacker can write a malicious `.coverage` file to that expected location before the test runs, PHPUnit will deserialize it. By crafting a serialized payload containing an object with a dangerous magic method like `__wakeup()` or __destruct(), the attacker can achieve arbitrary code execution in the context of the PHPUnit process during test execution, typically within a CI/CD pipeline.

dailycve

Platform: PHPUnit
Version: <=12.5.7
Vulnerability: Unsafe Deserialization
Severity: Critical
date: 2024-04-15

Prediction: 2024-04-29

What Undercode Say:

cat > malicious.coverage << 'EOF'
O:8:"stdClass":1:{s:11:"injected_cmd";s:10:"id > /tmp/";}
EOF
// Vulnerable code pattern from cleanupForCoverage()
$buffer = file_get_contents($coverageFile);
if ($buffer !== false) {
$coverage = @unserialize($buffer); // No allowed_classes restriction
}
Example check for pre-existing .coverage files
find /path/to/tests -name ".coverage" -type f

How Exploit:

  1. Attacker gains file write in test directory (e.g., via PR).
  2. Places malicious `.coverage` file before PHPT test run.

3. CI runs `phpunit –coverage-php`.

4. `cleanupForCoverage()` deserializes payload.

5. Arbitrary code executes via gadget chain.

Protection from this CVE

Update PHPUnit immediately.

Use isolated, ephemeral CI runners.

Enforce branch protection rules.

Audit for pre-existing `.coverage` files.

Impact:

Confidentiality: High

Integrity: High

Availability: High

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top