PHPUnit Unsafe Deserialization Vulnerability in PHPT Code Coverage Handling Allowing Remote Code Execution

A vulnerability exists in PHPUnit versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52, related to unsafe deserialization of code coverage data during PHPT test execution. The issue arises in the 'cleanupForCoverage()' method, which deserializes code coverage files without proper validation. This flaw could lead to remote code execution if malicious '.coverage' files are present before the PHPT test runs. The vulnerability requires local file write access to the directory where PHPUnit expects code coverage files for PHPT tests. This scenario can occur through CI/CD pipeline attacks, local development environments, or compromised dependencies.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the affected PHPUnit version is running, potentially leading to a complete compromise of the system.

Reproduction

The vulnerability can be reproduced by creating a malicious '.coverage' file that includes a serialized object with a '__wakeup()' method. This file must be placed in the directory where PHPUnit expects code coverage files for PHPT tests. Once the malicious file is in place, running a PHPT test with code coverage instrumentation enabled will trigger the vulnerability, as PHPUnit will deserialize the file without restrictions, executing the embedded code.

Remediation

Users should update to PHPUnit versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, or 8.5.52. Additionally, it is recommended to review and enhance CI/CD pipeline security by using isolated environments, enforcing code review processes, and implementing branch protection rules.