The problem is not what the script does, but where it lives. This file resides inside the vendor/ directory, which in many misconfigured production environments is still accessible via the web root.
Consider a server where the document root points to /var/www/html/public, but the developer mistakenly set the root to /var/www/html/. An attacker could potentially request:
https://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
While the script itself expects input from stdin, the danger is often amplified by other server configurations or by combining it with PHP wrappers (e.g., php://input). In vulnerable versions, an attacker could POST raw PHP code directly to this endpoint and have it executed. index of vendor phpunit phpunit src util php eval-stdin.php
In essence, leaving eval-stdin.php in a web-accessible directory is equivalent to leaving a sign on your server that says: "Run any code you want here."
Between PHPUnit versions 4.8.19 and 5.0.10, the developers included a utility script called eval-stdin.php. The problem is not what the script does
The intended, legitimate purpose of this script was to allow developers to pipe PHP code directly from their command line into the PHPUnit environment for quick testing.
Here is what the vulnerable code essentially looked like: While the script itself expects input from stdin
<?php
// ... evaluates whatever is passed to Standard Input (STDIN) ...
eval('?>' . file_get_contents('php://stdin'));
?>
The fatal flaw: If this file is left on a production server and exposed to the internet via an open directory index, anyone can send an HTTP POST or GET request containing PHP code to that specific URL. The server will receive it, pass it to eval(), and execute it as if the attacker were sitting at the server's keyboard.
The presence of vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php in a production web root is a severe security misconfiguration. It effectively provides an unauthenticated web shell. Organizations must ensure that:
CVSS 3.1 Score: 9.8 (Critical)
CWE: CWE-94 (Improper Control of Generation of Code)
Known Exploit DB ID: EDB-ID: 46320