Skip to content

chore(deps): update dependency phpunit/phpunit to v8 [security]#4

Open
renovate-fastnorth[bot] wants to merge 1 commit into
masterfrom
renovate/packagist-phpunit-phpunit-vulnerability
Open

chore(deps): update dependency phpunit/phpunit to v8 [security]#4
renovate-fastnorth[bot] wants to merge 1 commit into
masterfrom
renovate/packagist-phpunit-phpunit-vulnerability

Conversation

@renovate-fastnorth

@renovate-fastnorth renovate-fastnorth Bot commented Mar 30, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
phpunit/phpunit ^5.3^8.5.52 age confidence

PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling

CVE-2026-24765 / GHSA-vvj3-c3rp-c85p

More information

Details

Overview

A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

Technical Details

Affected Component: PHPT test runner, method cleanupForCoverage()
Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7

Vulnerable Code Pattern
if ($buffer !== false) {
    // Unsafe call without restrictions
    $coverage = @&#8203;unserialize($buffer);
}

The vulnerability occurs when a .coverage file, which should not exist before test execution, is deserialized without the allowed_classes parameter restriction. An attacker with local file write access can place a malicious serialized object with a __wakeup() method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.

Attack Prerequisites and Constraints

This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:

  • CI/CD Pipeline Attacks: A malicious pull request that places a .coverage file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
  • Local Development Environment: An attacker with shell access or ability to write files to the project directory
  • Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo

Critical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.

Proposed Remediation Approach

Rather than just silently sanitizing the input via ['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing .coverage files for PHPT tests as an error condition.

Rationale for Error-Based Approach:
  1. Visibility Over Silence: When an invariant is violated (a .coverage file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input
  2. Operational Security: A .coverage file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:
    • A malicious actor placed it intentionally
    • Build artifacts from a previous run contaminated the environment
    • An unexpected filesystem state requiring investigation
  3. Defense-in-Depth Principle: Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:
    • Isolate CI/CD runners (ephemeral, containerized environments)
    • Restrict code execution on protected branches
    • Scan pull requests and artifacts for tampering
    • Use branch protection rules to prevent unreviewed code execution
Severity Classification
  • Attack Vector (AV): Local (L) — requires write access to the file system where tests execute
  • Attack Complexity (AC): Low (L) — exploitation is straightforward once the malicious file is placed
  • Privileges Required (PR): Low (L) — PR submitter status or contributor role provides sufficient access
  • User Interaction (UI): None (N) — automatic execution during standard test execution
  • Scope (S): Unchanged (U) — impact remains within the affected test execution context
  • Confidentiality Impact (C): High (H) — full remote code execution enables complete system compromise
  • Integrity Impact (I): High (H) — arbitrary code execution allows malicious modifications
  • Availability Impact (A): High (H) — full code execution permits denial-of-service actions
Mitigating Factors (Environmental Context)

Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:

  • Ephemeral Runners: Use containerized, single-use CI/CD runners that discard filesystem state between runs
  • Code Review Enforcement: Require human review and approval before executing code from pull requests
  • Branch Protection: Enforce branch protection rules that block unreviewed code execution
  • Artifact Isolation: Separate build artifacts from source; never reuse artifacts across independent builds
  • Access Control: Limit file write permissions in CI environments to authenticated, trusted actors
Fixed Behaviour

When a .coverage file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:

  • Visibility: The error appears prominently in CI/CD output and test logs
  • Investigation: Operations teams can investigate the root cause (potential tampering, environment contamination)
  • Fail-Fast Semantics: Test execution stops rather than proceeding with an unexpected state
Recommendation

Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:

  • Pull requests from forks or untrusted sources execute in isolated environments
  • Branch protection rules require human review before code execution
  • CI/CD runners are ephemeral and discarded after each build
  • Build artifacts are not reused across independent runs without validation

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Code Injection in PHPUnit

CVE-2017-9841 / GHSA-r7c9-c69m-rph8

More information

Details

Util/PHP/eval-stdin.php in PHPUnit starting with 4.8.19 and before 4.8.28, as well as 5.x before 5.6.3, allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling

CVE-2026-24765 / GHSA-vvj3-c3rp-c85p

More information

Details

Overview

A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

Technical Details

Affected Component: PHPT test runner, method cleanupForCoverage()
Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7

Vulnerable Code Pattern
if ($buffer !== false) {
    // Unsafe call without restrictions
    $coverage = @&#8203;unserialize($buffer);
}

The vulnerability occurs when a .coverage file, which should not exist before test execution, is deserialized without the allowed_classes parameter restriction. An attacker with local file write access can place a malicious serialized object with a __wakeup() method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.

Attack Prerequisites and Constraints

This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:

  • CI/CD Pipeline Attacks: A malicious pull request that places a .coverage file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
  • Local Development Environment: An attacker with shell access or ability to write files to the project directory
  • Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo

Critical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.

Proposed Remediation Approach

Rather than just silently sanitizing the input via ['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing .coverage files for PHPT tests as an error condition.

Rationale for Error-Based Approach:
  1. Visibility Over Silence: When an invariant is violated (a .coverage file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input
  2. Operational Security: A .coverage file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:
    • A malicious actor placed it intentionally
    • Build artifacts from a previous run contaminated the environment
    • An unexpected filesystem state requiring investigation
  3. Defense-in-Depth Principle: Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:
    • Isolate CI/CD runners (ephemeral, containerized environments)
    • Restrict code execution on protected branches
    • Scan pull requests and artifacts for tampering
    • Use branch protection rules to prevent unreviewed code execution
Severity Classification
  • Attack Vector (AV): Local (L) — requires write access to the file system where tests execute
  • Attack Complexity (AC): Low (L) — exploitation is straightforward once the malicious file is placed
  • Privileges Required (PR): Low (L) — PR submitter status or contributor role provides sufficient access
  • User Interaction (UI): None (N) — automatic execution during standard test execution
  • Scope (S): Unchanged (U) — impact remains within the affected test execution context
  • Confidentiality Impact (C): High (H) — full remote code execution enables complete system compromise
  • Integrity Impact (I): High (H) — arbitrary code execution allows malicious modifications
  • Availability Impact (A): High (H) — full code execution permits denial-of-service actions
Mitigating Factors (Environmental Context)

Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:

  • Ephemeral Runners: Use containerized, single-use CI/CD runners that discard filesystem state between runs
  • Code Review Enforcement: Require human review and approval before executing code from pull requests
  • Branch Protection: Enforce branch protection rules that block unreviewed code execution
  • Artifact Isolation: Separate build artifacts from source; never reuse artifacts across independent builds
  • Access Control: Limit file write permissions in CI environments to authenticated, trusted actors
Fixed Behaviour

When a .coverage file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:

  • Visibility: The error appears prominently in CI/CD output and test logs
  • Investigation: Operations teams can investigate the root cause (potential tampering, environment contamination)
  • Fail-Fast Semantics: Test execution stops rather than proceeding with an unexpected state
Recommendation

Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:

  • Pull requests from forks or untrusted sources execute in isolated environments
  • Branch protection rules require human review before code execution
  • CI/CD runners are ephemeral and discarded after each build
  • Build artifacts are not reused across independent runs without validation

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (in timezone America/Toronto)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] - autoclosed Apr 27, 2026
@renovate-fastnorth renovate-fastnorth Bot deleted the renovate/packagist-phpunit-phpunit-vulnerability branch April 27, 2026 16:54
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] - autoclosed chore(deps): update dependency phpunit/phpunit to v13 [security] Apr 28, 2026
@renovate-fastnorth renovate-fastnorth Bot reopened this Apr 28, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch 2 times, most recently from 13952fd to fd48dac Compare April 30, 2026 18:16
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] Apr 30, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from fd48dac to d3e2734 Compare May 5, 2026 17:52
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 5, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from d3e2734 to 3b7a06f Compare May 6, 2026 13:43
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 6, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 3b7a06f to faa9f77 Compare May 7, 2026 20:12
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 7, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from faa9f77 to e86df80 Compare May 8, 2026 13:47
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 8, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from e86df80 to 8ba785d Compare May 12, 2026 17:29
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 12, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 8ba785d to 5c04ebd Compare May 13, 2026 14:53
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 13, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 5c04ebd to ddf00f9 Compare May 14, 2026 14:33
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 14, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from ddf00f9 to f2fe6ea Compare May 14, 2026 18:48
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 14, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from f2fe6ea to c1dc1c9 Compare May 15, 2026 14:25
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 15, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 685571b to 2781474 Compare May 27, 2026 16:55
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 27, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 2781474 to c52f174 Compare May 28, 2026 11:33
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 28, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from c52f174 to c63514f Compare May 29, 2026 15:30
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 29, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from c63514f to e95e253 Compare May 30, 2026 13:17
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 30, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from e95e253 to 33d7a74 Compare June 2, 2026 17:14
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] Jun 2, 2026
@carcunha carcunha added the blocked Do not merge without follow-up work label Jun 2, 2026

@carcunha carcunha left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocked — dev-only bump with no verification path.

  • phpunit/phpunit ^5.3 → ^13 is a major test-suite migration, not a constraint-only change.
  • Security label applies to require-dev; this does not affect runtime consumers.
  • This repo has no CI workflow — nothing validates the bump (no checks on this PR).

Run and fix the test suite locally before merging, or close if PHPUnit 5 tests are no longer maintained.

@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch 2 times, most recently from 125a4f8 to 10cdd93 Compare June 3, 2026 13:30
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] Jun 3, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 10cdd93 to 4159e95 Compare June 4, 2026 14:22
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] Jun 4, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 4159e95 to f3b2d78 Compare June 4, 2026 17:09
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] Jun 4, 2026
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] Jun 5, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from f3b2d78 to 4ac29fa Compare June 5, 2026 12:44
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] Jun 6, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 4ac29fa to dc3c4a1 Compare June 6, 2026 12:26
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] Jun 16, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from dc3c4a1 to 86d2301 Compare June 16, 2026 13:08
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] Jun 16, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 86d2301 to 93cd3d3 Compare June 16, 2026 19:26
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

blocked Do not merge without follow-up work composer Security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant