(or similar paths), which reads PHP code directly from standard input (stdin) and executes it without any authentication or validation. Vulnerability Type: Remote Code Execution (RCE) / Code Injection. CVSS Score: 9.8 (Critical). Affected Versions: PHPUnit before and versions 5.x before National Institute of Standards and Technology (.gov) 2. Why This Happens This vulnerability is typically exploited in production environments directory is accidentally exposed to the public internet.
Use the --no-dev flag when installing dependencies on a production server: composer install --no-dev Use code with caution. 3. Configure Web Server Properly (Nginx/Apache)
In addition to updating PHPUnit, there are several best practices you can follow to minimize the risk of exploitation: vendor phpunit phpunit src util php eval-stdin.php cve
Attackers often chain this with file inclusion, SQL injection, or LFI vulnerabilities—or simply use eval-stdin.php as their initial foothold.
According to cybersecurity research from VulnCheck in May 2026, this 9-year-old vulnerability is still actively targeted, with thousands of exploitation attempts occurring recently. (or similar paths), which reads PHP code directly
Several open-source tools can help you scan for this vulnerability at scale:
On the day of the talk, a half-dozen faces appeared on the call, yawning and caffeinated. Marta shared minimal slides: one slide with a diagram of the attack surface, one with the safe alternatives (local-only commands, feature flags, explicit release packaging), and one with a single line of code crossed out: eval($input). She explained how the internals of PHP made eval seductive: immediate, flexible, and dangerously capable. Someone asked a practical question about whitelisting—Marta answered simply: never whitelist inputs to eval; remove eval from release artifacts. Affected Versions: PHPUnit before and versions 5
After the session, QA added a regression test to their pipeline that scanned releases for suspicious patterns; the security team implemented a rule in their pre-release checklist: no runtime-eval without an explicit, documented exception and a threat model. The contractor’s name stayed in the commit history, a small fossil—lessons embedded in the code’s DNA.