CVE-2017-9841
PHPUnit Command Injection Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
17Exploited in Wild
YesDecision
Descriptions
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Util/PHP/eval-stdin.php en PHPUnit, en versiones anteriores a la 4.8.28 y en versiones 5.x anteriores a la 5.6.3, permite que atacantes remotos ejecuten código PHP arbitrario mediante datos HTTP POST que comienzan por una subcadena "
It was discovered that PHPUnit incorrectly handled web requests if exposed to the internet. An attacker could possibly use this issue to achieve remote code execution or obtain sensitive information.
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2017-06-24 CVE Reserved
- 2017-06-27 CVE Published
- 2020-01-10 First Exploit
- 2022-02-15 Exploited in Wild
- 2022-08-15 KEV Due Date
- 2025-02-07 CVE Updated
- 2025-03-30 EPSS Updated
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (24)
| URL | Tag | Source |
|---|---|---|
| http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com | Third Party Advisory | |
| http://www.securityfocus.com/bid/101798 | Broken Link | |
| http://www.securitytracker.com/id/1039812 | Broken Link |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/50702 | 2022-02-02 | |
| https://github.com/akr3ch/CVE-2017-9841 | 2022-08-19 | |
| https://github.com/Chocapikk/CVE-2017-9841 | 2023-08-27 | |
| https://github.com/MrG3P5/CVE-2017-9841 | 2024-02-15 | |
| https://github.com/mbrasile/CVE-2017-9841 | 2020-01-10 | |
| https://github.com/p1ckzi/CVE-2017-9841 | 2022-06-30 | |
| https://github.com/jax7sec/CVE-2017-9841 | 2022-04-22 | |
| https://github.com/Jhonsonwannaa/CVE-2017-9841- | 2022-11-21 | |
| https://github.com/cyberharsh/Php-unit-CVE-2017-9841 | 2020-06-24 | |
| https://github.com/RandomRobbieBF/phpunit-brute | 2024-12-03 | |
| https://github.com/ludy-dev/PHPUnit_eval-stdin_RCE | 2023-11-20 | |
| https://github.com/incogbyte/laravel-phpunit-rce-masscaner | 2024-08-12 | |
| https://github.com/mileticluka1/eval-stdin | 2022-11-17 | |
| https://github.com/dream434/CVE-2017-9841- | 2022-11-22 | |
| https://github.com/dream434/CVE-2017-9841 | 2025-03-02 | |
| https://github.com/MadExploits/PHPunit-Exploit | 2024-05-19 | |
| https://github.com/K3ysTr0K3R/CVE-2017-9841-EXPLOIT | 2025-06-10 |
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/201711-15 | 2022-04-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Phpunit Project Search vendor "Phpunit Project" | Phpunit Search vendor "Phpunit Project" for product "Phpunit" | <= 4.8.27 Search vendor "Phpunit Project" for product "Phpunit" and version " <= 4.8.27" | - |
Affected
| ||||||
| Phpunit Project Search vendor "Phpunit Project" | Phpunit Search vendor "Phpunit Project" for product "Phpunit" | >= 5.0.0 < 5.6.3 Search vendor "Phpunit Project" for product "Phpunit" and version " >= 5.0.0 < 5.6.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0 <= 8.5.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0 <= 8.5.0" | - |
Affected
| ||||||