CVE-2026-41570
PHPUnit INI Injection Leading to Remote Code Execution
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpunit_project | phpunit | 12.5.21 |
| phpunit_project | phpunit | 13.1.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PHPUnit versions 12.5.21 and 13.1.5, where PHPUnit forwards PHP INI settings to child processes as command-line arguments without properly neutralizing special INI metacharacters.
Because PHP's INI parser treats certain characters like double quotes (") as string delimiters, semicolons (;) as comment starters, and newlines as directive separators, an attacker who can influence a single INI value can inject multiple additional INI directives into the child process configuration.
This injection can include dangerous directives such as auto_prepend_file, extension, disable_functions, and open_basedir. For example, setting auto_prepend_file to a malicious file path can lead to remote code execution in the child process.
The issue was fixed in versions 12.5.22 and 13.1.6 of PHPUnit.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with the ability to influence a single PHP INI setting to inject arbitrary configuration directives into PHPUnit's child processes.
Such injection can lead to remote code execution, meaning the attacker could execute malicious code on the affected system with the privileges of the PHPUnit process.
This can compromise the confidentiality, integrity, and availability of the system running PHPUnit, potentially leading to data breaches, system manipulation, or denial of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade PHPUnit to versions 12.5.22 or 13.1.6 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how the vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves auditing PHPUnit configurations and PHP INI settings that are forwarded to child processes, especially looking for INI values containing newline characters or other metacharacters like quotes and semicolons that could be exploited.
You can check for vulnerable PHPUnit versions (12.5.21 and 13.1.5) installed on your system by running commands such as:
- phpunit --version
- composer show phpunit/phpunit
To detect potentially malicious or suspicious INI settings, you can search for phpunit.xml or other configuration files containing newline characters or suspicious directives like auto_prepend_file:
- grep -P '\n' path/to/phpunit.xml
- grep -r --include=phpunit.xml 'auto_prepend_file' /path/to/project
Additionally, monitoring child process command-line arguments for unexpected -d name=value pairs containing metacharacters can help detect exploitation attempts.