Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve <360p>

In the sprawling ecosystem of PHP dependencies, few files have a reputation as infamous as eval-stdin.php. Tucked deep within the phpunit/phpunit source tree (src/Util/PHP/eval-stdin.php), this small script became the epicenter of one of the most widely exploited remote code execution (RCE) vulnerabilities in modern web history: CVE-2017-9841.

If you have ever run composer install on a legacy project, pulled a popular CMS like Drupal, WordPress, or Magento, or inherited a decade-old codebase, chances are you have—unknowingly—hosted this backdoor.

This article dissects the vulnerability, its root cause, the exploitation mechanics, and why a single file inside a unit testing tool became the darling of penetration testers and malicious attackers alike.

Check your composer.lock for PHPUnit versions: vendor phpunit phpunit src util php eval-stdin.php cve

composer show phpunit/phpunit

If version is ≤ 4.8.28 or ≤ 5.6.3, you’re vulnerable.

Also, check if the file exists and is web-accessible:

find vendor/phpunit -name "eval-stdin.php"

The eval-stdin.php script in PHPUnit contains the following code: In the sprawling ecosystem of PHP dependencies, few

eval('?>' . file_get_contents('php://stdin'));

This script takes input from standard input and evaluates it as PHP code without any authentication or validation.

If this script is accessible via a web server (e.g., placed in a publicly accessible vendor/ directory or misconfigured web root), an attacker can send arbitrary PHP code via POST data or query parameters, leading to remote code execution.

This file is part of PHPUnit's utility for running isolated tests. It is designed to be used via the Command Line Interface (CLI), not the web browser. If version is ≤ 4

The vulnerability is usually exploited when a developer accidentally commits the vendor directory to the source code repository (like GitHub) or deploys it to a production web server. If the vendor folder is publicly accessible on the web, an attacker can target this specific file.

The CVE-2017-9841 saga taught the PHP community several painful lessons:

The file src/Util/PHP/eval-stdin.php was intended for internal testing purposes. It contains the following code (simplified):

<?php
eval('?>' . file_get_contents('php://stdin'));

This script reads raw input from php://stdin (standard input) and passes it directly to eval(). No authentication, authorization, or input sanitization is performed.

What goes wrong?
If this script is accidentally exposed to the web (e.g., placed in a publicly accessible vendor/ directory), an attacker can send arbitrary PHP code via POST data or request body. The script will execute that code with the privileges of the web server.