PHPUnit Argument Injection Vulnerability via Newlines in INI Values

A vulnerability exists in PHPUnit versions 12.5.21 and 13.1.5, where the framework forwards PHP INI settings to child processes as command-line arguments without properly escaping INI metacharacters. This oversight allows an attacker to inject additional INI directives by including newlines in the INI values. Exploitation of this vulnerability could lead to remote code execution in the child process by manipulating certain INI settings. The issue has been patched in PHPUnit versions 12.5.22 and 13.1.6.

Impact

Exploitation allows for arbitrary INI directive injection in child processes, with the potential for remote code execution if specific directives are manipulated.

Remediation

Users can upgrade to PHPUnit versions 12.5.22 or 13.1.6 to address this vulnerability. If an immediate upgrade is not possible, it is recommended to audit INI values for newline or metacharacter content, isolate CI execution of untrusted code, restrict modifications to the 'phpunit.xml' file, and sanitize the host PHP 'php.ini' to remove problematic values.