This is a report on the CVE-2017-9841 vulnerability, a critical remote code execution (RCE) flaw in the PHPUnit testing framework. National Institute of Standards and Technology (.gov) Vulnerability Overview Vulnerability Name : PHPUnit Remote Code Execution (RCE). CVE-2017-9841 9.8 Critical (CVSS v3.x). Target File vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php Technical Description The script eval-stdin.php was designed to read PHP code from standard input ( ) and execute it using . In misconfigured production environments where the
If you discover this file is exposed on your production architecture, apply the following fixes immediately. 1. Update PHPUnit via Composer
The attacker sends the crafted malicious code to the server through the vulnerable eval-stdin.php file, which then evaluates and executes the code.
Attackers use the compromised server as a stepping stone to attack the internal network. Remediation and Mitigation Strategies vendor phpunit phpunit src util php eval-stdin.php exploit
| Aspect | Summary | |--------|---------| | | Unauthenticated RCE via eval-stdin.php (CVE-2017-9841) | | Affected Versions | PHPUnit <4.8.28 and <5.6.3 | | CVSS Score | 9.8 (Critical) | | Attack Vector | HTTP POST to /vendor/phpunit/.../eval-stdin.php | | Impact | Full server compromise, data breach, malware deployment | | Active Threats | Androxgh0st malware, mass scanning campaigns | | Remediation | Upgrade to ≥4.8.28/5.6.3, remove PHPUnit from production, restrict access to /vendor |
This article explains how the vulnerability works, how attackers exploit it, and how to protect your server. The Root Cause
The flaw exists because the eval-stdin.php file, intended for internal use by the testing framework, was often left in web-accessible directories (like /vendor/ ). It contains a single, dangerous line of code: eval('?> ' . file_get_contents('php://input')); . This is a report on the CVE-2017-9841 vulnerability,
The eval-stdin.php exploit serves as a critical reminder of the risks associated with exposing development dependencies in production. While the flaw lies within PHPUnit code, the vulnerability is only exploitable when system administrators fail to properly segregate development tools from public-facing assets. By adhering to the principle of least privilege—denying web access to non-essential files—administrators can neutralize this and similar threats effectively.
substring, an unauthenticated attacker can execute arbitrary PHP code on the server. System Weakness Exploit Demonstration A typical exploit involves a simple request to the vulnerable endpoint:
Update your development dependencies to pull in patched versions of PHPUnit: composer update phpunit/phpunit --dev Use code with caution. Target File vendor/phpunit/phpunit/src/Util/PHP/eval-stdin
The script utilizes file_get_contents('php://input') to read the raw POST body data sent to the HTTP server and immediately passes that data to PHP's highly dangerous eval() function.
Understanding and Mitigating the PHPUnit Remote Code Execution Exploit (CVE-2017-9841)