Do Son 
The maintainers of PHPUnit, the industry-standard testing framework for PHP, have released a critical security update to address a high-severity vulnerability that turns the testing process itself into an attack vector. Tracked as CVE-2026-24765, the flaw carries a CVSS score of 7.8 and allows attackers to achieve Remote Code Execution (RCE) by manipulating code coverage artifacts.
The vulnerability strikes at the heart of automated testing environments, exploiting how PHPUnit cleans up after running tests.
The issue lies within the PHPT test runner, specifically in a method ironically named cleanupForCoverage(). This function is responsible for handling code coverage data generated during test execution.
According to the security advisory, the method “deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test”.
The technical root cause is a classic Unsafe Deserialization (CWE-502) flaw. The code attempts to process a buffer using @unserialize($buffer) without checking if the data is safe. If an attacker can plant a malicious serialized object—specifically one with a __wakeup() method—into a .coverage file on the system, PHPUnit will blindly execute it during the cleanup phase.
This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:
- CI/CD Pipeline Attacks: A malicious pull request that places a
.coveragefile alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information - Local Development Environment: An attacker with shell access or ability to write files to the project directory
- Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo
The vulnerability affects a wide range of PHPUnit versions, spanning several major releases. Users are vulnerable if they are running:
- PHPUnit 8: Version 8.5.51 and below
- PHPUnit 9: Version 9.6.32 and below
- PHPUnit 10: Version 10.5.61 and below
- PHPUnit 11: Version 11.5.49 and below
- PHPUnit 12: Version 12.5.7 and below
The maintainers have released patched versions (8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8) and urge users to update immediately.
However, the advisory also stresses that software patches are only part of the solution. The root problem often lies in how CI/CD environments are configured. “Protecting a single deserialization call does not address the fundamental attack surface,” the report warns.
To truly secure the pipeline, organizations must adopt Defense-in-Depth principles:
- Isolate Runners: Ensure CI/CD runners are ephemeral (discarded after each run) to prevent cross-contamination.
- Restrict Execution: Use branch protection rules to prevent unreviewed code from triggering tests.
- Scan Artifacts: Monitoring for tampering in pull requests and build artifacts is essential.