A typical exploit attempt targets common framework deployment paths where the vendor directory might accidentally be exposed to the public internet:
NIST: NVD. Base Score: 7.5 HIGH. Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) National Institute of Standards and Technology (.gov)
Successful exploitation grants the attacker arbitrary code execution under the permissions of the web server, leading to full server compromise, data theft (including .env files), and malware installation. Why This Vulnerability Persists
Deploy a WAF (such as Cloudflare, AWS WAF, or ModSecurity). Most modern WAFs feature built-in, signature-based rules specifically designed to detect and drop inbound requests containing the string eval-stdin.php . Conclusion
: Limit which commands and scripts can be executed by PHPUnit or related tools to minimize the damage in case of an exploit. vendor phpunit phpunit src util php eval-stdin.php exploit
The post-mortem revealed the real failure: a developer had run composer install --no-dev on the build server but used composer install (including dev dependencies) on the staging image. Then that image got promoted. Twice.
Do you have any specific questions regarding this vulnerability or PHPUnit in general?
Technical details (concise)
Protecting your systems from CVE-2017-9841 requires immediate action. The principle of "defense in depth" applies here: remove the vulnerable file, ensure dependencies are correct, and block access. Why This Vulnerability Persists Deploy a WAF (such
Exploiting this vulnerability is alarmingly trivial. It does not require authentication or complex bypass techniques. An attacker can achieve RCE by sending a simple HTTP POST request containing PHP code to the vulnerable endpoint.
In some versions of PHPUnit, there have been vulnerabilities related to remote code execution, especially in cases where an attacker can manipulate input to a test or a script executed by PHPUnit. The use of eval-stdin.php in a command with exploit could imply an attempt to leverage such a vulnerability.
CVE-2017-9841 is a critical, actively exploited Remote Code Execution (RCE) vulnerability in PHPUnit that allows unauthorized users to execute commands via the eval-stdin.php script, often targeting improperly exposed production environments. Remediation requires upgrading PHPUnit to version 4.8.28+ or 5.6.3+, restricting public access to the /vendor folder, and ensuring development tools are not deployed in production. For more technical details and mitigation steps, visit OVHcloud Blog .
If you run composer install without --no-dev on a public server, you are effectively inviting attackers to execute any code they wish. The fix is simple: Use .gitignore for vendor/ on the build side, and never, ever let phpunit touch your production web root. The post-mortem revealed the real failure: a developer
The exploit is notoriously easy to trigger. It requires that the vendor directory of the web application is publicly accessible, which is a common misconfiguration. 1. The Attack Vector
The vulnerability exists in the file vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php . The contents of the file in vulnerable versions are minimal and look roughly like this:
The exploit takes advantage of how the eval-stdin.php file processes input. This file is designed to read PHP code from standard input and evaluate it. While this functionality sounds benign and potentially useful for testing purposes, when exposed improperly, it can become a significant security risk. An attacker can exploit this by sending malicious PHP code to the server, which then executes the code.