If an attacker can make a web server execute this file and send arbitrary PHP code to its stdin , they can achieve Remote Code Execution (RCE) – complete control over the server.
The attack signature was bizarre: POST requests to /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php with raw PHP code in the body.
This script accepts PHP code via standard input ( stdin ), evaluates it using eval() , and outputs the result. It was intended to execute code snippets in a separate process for isolation during testing.
This helper file was intentionally designed by PHPUnit developers to handle unit testing operations across process boundaries by executing PHP code passed via an input stream. However, the core execution mechanism contains a devastatingly simple design flaw: eval('?>' . file_get_contents('php://input')); Use code with caution. Why php://input Is Dangerous in Web Contexts
When deploying to production, use the --no-dev flag with Composer: composer install --no-dev --optimize-autoloader Use code with caution. vendor phpunit phpunit src util php eval-stdin.php exploit
Action plan (recommended)
The vulnerability lies within the eval-stdin.php utility script, which is part of the PHPUnit testing framework. The Vulnerable Component
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
eval-stdin.php reads and executes it. The server returns the output of the command back to the attacker. Impact of Successful Exploitation If an attacker can make a web server
Attackers scan the internet for exposed vendor directories. They target paths containing phpunit/src/Util/PHP/eval-stdin.php or phpunit/Util/PHP/eval-stdin.php .
If you need help securing your specific server setup, let me know: What are you running? (Apache, Nginx, IIS?) What framework or CMS does your site use? Can you update your Composer configuration ?
The root cause is frequently that the web server document root is improperly set to the project root, rather than the public web/ or public/ subdirectory. Mitigation and Prevention Steps
Let's look at a simplified version of the vulnerable code present in PHPUnit versions before 4.8.28 and 5.6.3: It was intended to execute code snippets in
PHPUnit is a popular testing framework for PHP applications. It provides a comprehensive set of tools for writing and executing unit tests. However, like any software, PHPUnit is not immune to vulnerabilities. Recently, a critical vulnerability was discovered in the eval-stdin.php file within the src/util directory of PHPUnit. This report provides an in-depth analysis of the vulnerability, its impact, and potential exploits.
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: target-website.com Content-Length: 32 Use code with caution.
192.168.1.100 - - [12/May/2025:10:23:45 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 1234