Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit _top_ -
The exploit targeting vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php refers to CVE-2017-9841, a critical remote code execution (RCE) vulnerability in PHPUnit. Despite being nearly a decade old, it remains one of the most frequently scanned vulnerabilities in 2026 due to persistent misconfigurations in web environments. Overview of the Vulnerability
Why this was possible
- Composer-managed PHP projects include vendor/ by default; sometimes vendor/ ends up inside webroot due to misconfiguration.
- Test/dev helpers are not intended for production; they may be left accessible after deployment.
- Some teams assumed permission-based restriction or obscurity was sufficient; web-accessible files in vendor/ were overlooked.
- Automated scanners and exploit scripts make discovery and exploitation straightforward.
- Do not deploy dev/test tooling to production. Use composer install --no-dev for production builds.
- Use dependency scanning and SCA tools (e.g., Composer audit, dependency-check) in CI.
- Enforce least privilege for the web server user and isolate critical services.
- Harden web server configuration to deny direct access to vendor/ and .git/ directories.
- Regularly review server file system for unexpected files and run intrusion detection.
- Immediately remove eval-stdin.php from production and block access.
- Confirm whether the file was reachable (log review).
- If reachable, perform full incident response: contain, eradicate (restore from trusted snapshots), recover, and rotate secrets.
- Update deployment pipeline to exclude dev dependencies and add automated checks.
curl -X POST http://target-site.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \
-d "<?php system('id'); ?>"
Technical Details
Or use curl manually:
Conclusion