CVE-2026-24765: PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling

Overview

A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

Technical Details

Affected Component: PHPT test runner, method cleanupForCoverage() Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7

Vulnerable Code Pattern

if ($buffer !== false) {
    // Unsafe call without restrictions
    $coverage = @unserialize($buffer);
}

The vulnerability occurs when a .coverage file, which should not exist before test execution, is deserialized without the allowed_classes parameter restriction. An attacker with local file write access can place a malicious serialized object with a __wakeup() method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.

Attack Prerequisites and Constraints

This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:

• CI/CD Pipeline Attacks: A malicious pull request that places a .coverage file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
• Local Development Environment: An attacker with shell access or ability to write files to the project directory
• Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo