CVE-2026-41570

Name of the Vulnerable Software and Affected Versions PHPUnit versions prior to 12.5.22 PHPUnit versions prior to 13.1.6

Description PHPUnit forwards PHP INI settings to child processes as -d name=value command-line arguments without neutralizing INI metacharacters. Because the PHP INI parser treats newlines as directive separators, an attacker who can influence an INI value can inject arbitrary directives into the child process configuration. This can be achieved by modifying <ini name="…" value="…"/> entries in phpunit.xml or phpunit.xml.dist, or by influencing settings inherited from the host PHP runtime via ini get all(). By setting the auto prepend file directive to an attacker-controlled path, remote code execution can be achieved in the child process. This issue is particularly relevant in Poisoned Pipeline Execution scenarios, where an untrusted contributor submits a pull request modifying phpunit.xml with invisible newline characters that are executed by a CI system without isolation. The vulnerable function is PHPUnitUtilPHPJobRunner::settingsToParameters().

Recommendations Update to version 12.5.22. Update to version 13.1.6. Audit phpunit.xml and phpunit.xml.dist to ensure no <ini value="…"> entries contain newline, ", or ; characters. Run PHPUnit against pull requests only in ephemeral, containerized runners that discard filesystem state between jobs. Require human review before executing pull requests from forks. Enforce branch protection on workflows that handle secrets. Restrict modification access to phpunit.xml, treating <ini> entries as security-sensitive. Ensure the host php.ini does not contain values with embedded newlines or unescaped metacharacters.