Skip to content

chore(deps): update dependency phpunit/phpunit to v8 [security]#12

Open
renovate-fastnorth[bot] wants to merge 1 commit into
masterfrom
renovate/packagist-phpunit-phpunit-vulnerability
Open

chore(deps): update dependency phpunit/phpunit to v8 [security]#12
renovate-fastnorth[bot] wants to merge 1 commit into
masterfrom
renovate/packagist-phpunit-phpunit-vulnerability

Conversation

@renovate-fastnorth

@renovate-fastnorth renovate-fastnorth Bot commented Mar 30, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
phpunit/phpunit ^4.8^8.5.52 age confidence

PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling

CVE-2026-24765 / GHSA-vvj3-c3rp-c85p

More information

Details

Overview

A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

Technical Details

Affected Component: PHPT test runner, method cleanupForCoverage()
Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7

Vulnerable Code Pattern
if ($buffer !== false) {
    // Unsafe call without restrictions
    $coverage = @&#8203;unserialize($buffer);
}

The vulnerability occurs when a .coverage file, which should not exist before test execution, is deserialized without the allowed_classes parameter restriction. An attacker with local file write access can place a malicious serialized object with a __wakeup() method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.

Attack Prerequisites and Constraints

This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:

  • CI/CD Pipeline Attacks: A malicious pull request that places a .coverage file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
  • Local Development Environment: An attacker with shell access or ability to write files to the project directory
  • Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo

Critical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.

Proposed Remediation Approach

Rather than just silently sanitizing the input via ['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing .coverage files for PHPT tests as an error condition.

Rationale for Error-Based Approach:
  1. Visibility Over Silence: When an invariant is violated (a .coverage file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input
  2. Operational Security: A .coverage file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:
    • A malicious actor placed it intentionally
    • Build artifacts from a previous run contaminated the environment
    • An unexpected filesystem state requiring investigation
  3. Defense-in-Depth Principle: Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:
    • Isolate CI/CD runners (ephemeral, containerized environments)
    • Restrict code execution on protected branches
    • Scan pull requests and artifacts for tampering
    • Use branch protection rules to prevent unreviewed code execution
Severity Classification
  • Attack Vector (AV): Local (L) — requires write access to the file system where tests execute
  • Attack Complexity (AC): Low (L) — exploitation is straightforward once the malicious file is placed
  • Privileges Required (PR): Low (L) — PR submitter status or contributor role provides sufficient access
  • User Interaction (UI): None (N) — automatic execution during standard test execution
  • Scope (S): Unchanged (U) — impact remains within the affected test execution context
  • Confidentiality Impact (C): High (H) — full remote code execution enables complete system compromise
  • Integrity Impact (I): High (H) — arbitrary code execution allows malicious modifications
  • Availability Impact (A): High (H) — full code execution permits denial-of-service actions
Mitigating Factors (Environmental Context)

Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:

  • Ephemeral Runners: Use containerized, single-use CI/CD runners that discard filesystem state between runs
  • Code Review Enforcement: Require human review and approval before executing code from pull requests
  • Branch Protection: Enforce branch protection rules that block unreviewed code execution
  • Artifact Isolation: Separate build artifacts from source; never reuse artifacts across independent builds
  • Access Control: Limit file write permissions in CI environments to authenticated, trusted actors
Fixed Behaviour

When a .coverage file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:

  • Visibility: The error appears prominently in CI/CD output and test logs
  • Investigation: Operations teams can investigate the root cause (potential tampering, environment contamination)
  • Fail-Fast Semantics: Test execution stops rather than proceeding with an unexpected state
Recommendation

Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:

  • Pull requests from forks or untrusted sources execute in isolated environments
  • Branch protection rules require human review before code execution
  • CI/CD runners are ephemeral and discarded after each build
  • Build artifacts are not reused across independent runs without validation

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling

CVE-2026-24765 / GHSA-vvj3-c3rp-c85p

More information

Details

Overview

A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

Technical Details

Affected Component: PHPT test runner, method cleanupForCoverage()
Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7

Vulnerable Code Pattern
if ($buffer !== false) {
    // Unsafe call without restrictions
    $coverage = @&#8203;unserialize($buffer);
}

The vulnerability occurs when a .coverage file, which should not exist before test execution, is deserialized without the allowed_classes parameter restriction. An attacker with local file write access can place a malicious serialized object with a __wakeup() method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.

Attack Prerequisites and Constraints

This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:

  • CI/CD Pipeline Attacks: A malicious pull request that places a .coverage file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
  • Local Development Environment: An attacker with shell access or ability to write files to the project directory
  • Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo

Critical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.

Proposed Remediation Approach

Rather than just silently sanitizing the input via ['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing .coverage files for PHPT tests as an error condition.

Rationale for Error-Based Approach:
  1. Visibility Over Silence: When an invariant is violated (a .coverage file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input
  2. Operational Security: A .coverage file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:
    • A malicious actor placed it intentionally
    • Build artifacts from a previous run contaminated the environment
    • An unexpected filesystem state requiring investigation
  3. Defense-in-Depth Principle: Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:
    • Isolate CI/CD runners (ephemeral, containerized environments)
    • Restrict code execution on protected branches
    • Scan pull requests and artifacts for tampering
    • Use branch protection rules to prevent unreviewed code execution
Severity Classification
  • Attack Vector (AV): Local (L) — requires write access to the file system where tests execute
  • Attack Complexity (AC): Low (L) — exploitation is straightforward once the malicious file is placed
  • Privileges Required (PR): Low (L) — PR submitter status or contributor role provides sufficient access
  • User Interaction (UI): None (N) — automatic execution during standard test execution
  • Scope (S): Unchanged (U) — impact remains within the affected test execution context
  • Confidentiality Impact (C): High (H) — full remote code execution enables complete system compromise
  • Integrity Impact (I): High (H) — arbitrary code execution allows malicious modifications
  • Availability Impact (A): High (H) — full code execution permits denial-of-service actions
Mitigating Factors (Environmental Context)

Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:

  • Ephemeral Runners: Use containerized, single-use CI/CD runners that discard filesystem state between runs
  • Code Review Enforcement: Require human review and approval before executing code from pull requests
  • Branch Protection: Enforce branch protection rules that block unreviewed code execution
  • Artifact Isolation: Separate build artifacts from source; never reuse artifacts across independent builds
  • Access Control: Limit file write permissions in CI environments to authenticated, trusted actors
Fixed Behaviour

When a .coverage file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:

  • Visibility: The error appears prominently in CI/CD output and test logs
  • Investigation: Operations teams can investigate the root cause (potential tampering, environment contamination)
  • Fail-Fast Semantics: Test execution stops rather than proceeding with an unexpected state
Recommendation

Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:

  • Pull requests from forks or untrusted sources execute in isolated environments
  • Branch protection rules require human review before code execution
  • CI/CD runners are ephemeral and discarded after each build
  • Build artifacts are not reused across independent runs without validation

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (in timezone America/Toronto)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] - autoclosed Apr 27, 2026
@renovate-fastnorth renovate-fastnorth Bot deleted the renovate/packagist-phpunit-phpunit-vulnerability branch April 27, 2026 18:58
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] - autoclosed chore(deps): update dependency phpunit/phpunit to v13 [security] Apr 28, 2026
@renovate-fastnorth renovate-fastnorth Bot reopened this Apr 28, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch 2 times, most recently from c6df11f to 8ddea46 Compare April 28, 2026 13:59
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] Update dependency phpunit/phpunit to v13 [SECURITY] Apr 28, 2026
@renovate-fastnorth renovate-fastnorth Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] chore(deps): update dependency phpunit/phpunit to v13 [security] Apr 29, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 8ddea46 to 4388352 Compare April 30, 2026 11:10
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] Apr 30, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 4388352 to 09af72b Compare May 5, 2026 11:14
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 5, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 09af72b to 1cab2ae Compare May 6, 2026 11:12
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 6, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 1cab2ae to 550131e Compare May 7, 2026 16:16
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 7, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 550131e to 882a77b Compare May 8, 2026 11:13
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 8, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 882a77b to 9c9269a Compare May 12, 2026 14:00
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 12, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 9c9269a to 6b9b01c Compare May 13, 2026 11:11
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 18bf47a to e1a263c Compare May 21, 2026 17:11
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 21, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from e1a263c to 1d2abb9 Compare May 22, 2026 11:12
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 22, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 1d2abb9 to 8f97f1d Compare May 26, 2026 16:48
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 26, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 8f97f1d to ef1720c Compare May 27, 2026 11:40
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 27, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from ef1720c to b9ef660 Compare May 27, 2026 18:58
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 27, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from b9ef660 to 654d51c Compare May 28, 2026 14:27
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 28, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 654d51c to ea6d389 Compare May 29, 2026 13:28
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 29, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from ea6d389 to d15ac49 Compare May 29, 2026 18:42
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 29, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch 2 times, most recently from d35036f to 3d4b104 Compare May 29, 2026 19:30
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] May 29, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 3d4b104 to 3c1851b Compare May 30, 2026 11:12
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] May 30, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 3c1851b to a42f79e Compare June 2, 2026 17:11
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] Jun 2, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from a42f79e to 16e3600 Compare June 3, 2026 12:06
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v13 [security] chore(deps): update dependency phpunit/phpunit to v8 [security] Jun 3, 2026
@renovate-fastnorth renovate-fastnorth Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 16e3600 to a05b193 Compare June 4, 2026 11:26
@renovate-fastnorth renovate-fastnorth Bot changed the title chore(deps): update dependency phpunit/phpunit to v8 [security] chore(deps): update dependency phpunit/phpunit to v13 [security] Jun 4, 2026
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants