Listen to this Post
The vulnerability resides in the `cleanupForCoverage()` method of the PHPT test runner. When PHPUnit executes a PHPT test with code coverage enabled, it checks for a `.coverage` file in the test’s temporary directory after execution to aggregate results. The flaw is that this method unconditionally deserializes the file’s contents using `unserialize($buffer)` without the `allowed_classes` restriction. If an attacker can write a malicious `.coverage` file to that expected location before the test runs, PHPUnit will deserialize it. By crafting a serialized payload containing an object with a dangerous magic method like `__wakeup()` or __destruct(), the attacker can achieve arbitrary code execution in the context of the PHPUnit process during test execution, typically within a CI/CD pipeline.
dailycve
Platform: PHPUnit
Version: <=12.5.7
Vulnerability: Unsafe Deserialization
Severity: Critical
date: 2024-04-15
Prediction: 2024-04-29
What Undercode Say:
cat > malicious.coverage << 'EOF'
O:8:"stdClass":1:{s:11:"injected_cmd";s:10:"id > /tmp/";}
EOF
// Vulnerable code pattern from cleanupForCoverage()
$buffer = file_get_contents($coverageFile);
if ($buffer !== false) {
$coverage = @unserialize($buffer); // No allowed_classes restriction
}
Example check for pre-existing .coverage files find /path/to/tests -name ".coverage" -type f
How Exploit:
- Attacker gains file write in test directory (e.g., via PR).
- Places malicious `.coverage` file before PHPT test run.
3. CI runs `phpunit –coverage-php`.
4. `cleanupForCoverage()` deserializes payload.
5. Arbitrary code executes via gadget chain.
Protection from this CVE
Update PHPUnit immediately.
Use isolated, ephemeral CI runners.
Enforce branch protection rules.
Audit for pre-existing `.coverage` files.
Impact:
Confidentiality: High
Integrity: High
Availability: High
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

