composer require phpunit/phpunit:">=5.6.3"
Because eval-stdin.php immediately processes the POST body beginning with the
. Configure your web server to block access to /vendor/ . vendor phpunit phpunit src util php eval-stdin.php cve
The following PHPUnit versions are affected:
| Item | Value | |------|-------| | Vulnerability | Remote Code Execution (RCE) | | CVE | CVE-2017-9841 | | Affected File | vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | | Attack Vector | HTTP POST to that file with PHP code in body | | Patch | Remove PHPUnit from production / upgrade to PHPUnit ≥ 7.0 | | Detection | grep -r "eval-stdin" /var/www / web logs for POST to that URI | composer require phpunit/phpunit:">=5
The critical flaw in this script stems from a single line of code: eval('?>' . file_get_contents('php://input')); Use code with caution. Why This Is Dangerous
The application was deployed with development tools included (e.g., executing composer install without the --no-dev flag). How the Exploit Works (PoC Breakdown) file_get_contents('php://input')); Use code with caution
In 2020, PrestaShop warned that its ps_facetedsearch module and other modules could be vulnerable if they included PHPUnit as a dependency. The same eval-stdin.php file could be exploited to execute code on PrestaShop stores, endangering e-commerce websites.
Use the --no-dev flag when installing dependencies on a production server: composer install --no-dev Use code with caution. 3. Configure Web Server Properly (Nginx/Apache)
The best practice is to never deploy development dependencies like PHPUnit to production. Delete the vendor/phpunit/ directory entirely on your live server. Update PHPUnit: If you must use these versions, upgrade to at least Restrict Access:
The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php vulnerability is a glaring reminder of the risks of exposed dependencies. By ensuring that development tools are not part of the production environment, you can protect your infrastructure from this simple, yet devastating, RCE.