CVE-2017-9841
Published: 27 June 2017
Summary
CVE-2017-9841 is a critical-severity Code Injection (CWE-94) vulnerability in Phpunit Project Phpunit. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2017-9841 is a remote code execution vulnerability in the Util/PHP/eval-stdin.php component of PHPUnit versions prior to 4.8.28 and 5.x prior to 5.6.3. The flaw stems from improper handling of HTTP POST input that begins with a "<?php " substring, which is passed directly to PHP evaluation, corresponding to CWE-94 code injection. It affects installations where the PHPUnit package is present under a web-accessible path such as an exposed /vendor directory.
Remote attackers with no authentication or user interaction can exploit the issue by sending crafted POST data to the eval-stdin.php URI, achieving arbitrary PHP code execution with the privileges of the web server process. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.
The referenced GitHub commit and pull request, along with the archived PHPUnit advisory, indicate that the issue is resolved by upgrading to the fixed versions 4.8.28 or 5.6.3, which remove or restrict the eval-stdin.php functionality.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1528
Vulnerability details
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder,…
more
i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor-supplied patches (4.8.28 / 5.6.3) that remove the eval-stdin.php code path.
Mandates disabling or removing unnecessary software components such as the exposed eval-stdin.php script that enables unauthenticated code execution.
Enforces access-control policy on web-server paths so that even an unpatched PHPUnit installation cannot be reached via the /vendor/phpunit/.../eval-stdin.php URI.