CVE-2026-24765
Published: 27 January 2026
Summary
CVE-2026-24765 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Phpunit Project Phpunit. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of PHPUnit to versions that detect pre-existing .coverage files and prevent unsafe deserialization leading to RCE.
Mandates validation of information inputs like .coverage files prior to deserialization, blocking malicious serialized objects with __wakeup() methods.
Enforces least privilege to deny local file write access to directories where PHPUnit expects .coverage files, preventing placement of malicious files by attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in a developer testing tool (PHPUnit) directly enables adversaries to exploit the vulnerability for arbitrary code execution on the client system running the tests (e.g., developer workstation or CI agent). Local file-write access is a prerequisite, but the core effect matches T1203; scope is unchanged so T1068 is not applicable.
NVD Description
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method,…
more
which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
Deeper analysisAI
CVE-2026-24765 is a deserialization vulnerability in PHPUnit, a testing framework for PHP, affecting versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52. The issue resides in the `cleanupForCoverage()` method, which deserializes code coverage files (`.coverage`) without validation, such as the `allowed_classes` parameter restriction, during PHPT test execution. This unsafe deserialization occurs if a `.coverage` file exists unexpectedly before test execution, potentially leading to remote code execution when code coverage instrumentation is enabled.
An attacker requires local file write access to the directory where PHPUnit stores or expects code coverage files for PHPT tests. They can place a malicious serialized object with a `__wakeup()` method into a `.coverage` file, triggering arbitrary code execution upon deserialization during test runs. Exploitation is feasible in scenarios like CI/CD pipeline attacks, local development environments, or through compromised dependencies, with a CVSS score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and associated CWE-502.
Patches in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 detect pre-existing `.coverage` files for PHPT tests prior to execution and emit a clear error message instead of silently sanitizing input. Organizations can mitigate risk by updating to these versions and implementing CI/CD best practices, such as ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control. Relevant details are available in the fix commit and release notes on GitHub.
Details
- CWE(s)