CVE-2026-24765

Name of the Vulnerable Software and Affected Versions PHPUnit versions prior to 12.5.8 PHPUnit versions prior to 11.5.50 PHPUnit versions prior to 10.5.62 PHPUnit versions prior to 9.6.33 PHPUnit versions prior to 8.5.52

Description PHPUnit, a testing framework for PHP, contains a flaw related to unsafe deserialization of code coverage data during PHPT test execution. The issue resides in the cleanupForCoverage() method, which deserializes code coverage files without proper validation. This can lead to remote code execution if a malicious .coverage file is present before the PHPT test runs. The vulnerability is triggered when a .coverage file, which should not exist prior to test execution, is deserialized without restrictions. An attacker with local file write access can place a malicious serialized object containing a wakeup() method into the file system, resulting in arbitrary code execution during test runs with code coverage enabled. This vulnerability is particularly relevant in CI/CD pipeline attacks, local development environments, and scenarios involving compromised dependencies. The maintainers have addressed this by treating pre-existing .coverage files as an error condition, emitting a clear error message instead of silently sanitizing the input. The vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests.

Recommendations Update to PHPUnit version 12.5.8 or later. Update to PHPUnit version 11.5.50 or later. Update to PHPUnit version 10.5.62 or later. Update to PHPUnit version 9.6.33 or later. Update to PHPUnit version 8.5.52 or later.