chore(deps): update dependency phpunit/phpunit to v8 [security]#12
Open
renovate-fastnorth[bot] wants to merge 1 commit into
Open
chore(deps): update dependency phpunit/phpunit to v8 [security]#12renovate-fastnorth[bot] wants to merge 1 commit into
renovate-fastnorth[bot] wants to merge 1 commit into
Conversation
c6df11f to
8ddea46
Compare
8ddea46 to
4388352
Compare
4388352 to
09af72b
Compare
09af72b to
1cab2ae
Compare
1cab2ae to
550131e
Compare
550131e to
882a77b
Compare
882a77b to
9c9269a
Compare
9c9269a to
6b9b01c
Compare
18bf47a to
e1a263c
Compare
e1a263c to
1d2abb9
Compare
1d2abb9 to
8f97f1d
Compare
8f97f1d to
ef1720c
Compare
ef1720c to
b9ef660
Compare
b9ef660 to
654d51c
Compare
654d51c to
ea6d389
Compare
ea6d389 to
d15ac49
Compare
d35036f to
3d4b104
Compare
3d4b104 to
3c1851b
Compare
3c1851b to
a42f79e
Compare
a42f79e to
16e3600
Compare
16e3600 to
a05b193
Compare
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.8→^8.5.52PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
CVE-2026-24765 / GHSA-vvj3-c3rp-c85p
More information
Details
Overview
A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the
cleanupForCoverage()method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious.coveragefiles are present prior to the execution of the PHPT test.Technical Details
Affected Component: PHPT test runner, method
cleanupForCoverage()Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7
Vulnerable Code Pattern
The vulnerability occurs when a
.coveragefile, which should not exist before test execution, is deserialized without theallowed_classesparameter restriction. An attacker with local file write access can place a malicious serialized object with a__wakeup()method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.Attack Prerequisites and Constraints
This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:
.coveragefile alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage informationCritical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.
Proposed Remediation Approach
Rather than just silently sanitizing the input via
['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing.coveragefiles for PHPT tests as an error condition.Rationale for Error-Based Approach:
.coveragefile existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input.coveragefile should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:Severity Classification
Mitigating Factors (Environmental Context)
Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:
Fixed Behaviour
When a
.coveragefile is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:Recommendation
Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
CVE-2026-24765 / GHSA-vvj3-c3rp-c85p
More information
Details
Overview
A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the
cleanupForCoverage()method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious.coveragefiles are present prior to the execution of the PHPT test.Technical Details
Affected Component: PHPT test runner, method
cleanupForCoverage()Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7
Vulnerable Code Pattern
The vulnerability occurs when a
.coveragefile, which should not exist before test execution, is deserialized without theallowed_classesparameter restriction. An attacker with local file write access can place a malicious serialized object with a__wakeup()method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.Attack Prerequisites and Constraints
This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:
.coveragefile alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage informationCritical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.
Proposed Remediation Approach
Rather than just silently sanitizing the input via
['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing.coveragefiles for PHPT tests as an error condition.Rationale for Error-Based Approach:
.coveragefile existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input.coveragefile should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:Severity Classification
Mitigating Factors (Environmental Context)
Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:
Fixed Behaviour
When a
.coveragefile is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:Recommendation
Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone America/Toronto)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.