Or simply block access to the entire /vendor/ directory:
This is the most direct fix. Update your project's phpunit/phpunit Composer dependency to version 5.6.3 or 4.8.28 or any later release. Run this command in your project root:
The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php vulnerability is a glaring reminder of the risks of exposed dependencies. By ensuring that development tools are not part of the production environment, you can protect your infrastructure from this simple, yet devastating, RCE.
The vulnerability in question is CVE-2022-24847, a critical security issue that affects PHPUnit versions prior to 9.5.10 and 8.5.11. The issue arises from a problem in the eval-stdin.php file, which is a utility script used by PHPUnit. This script allows for the evaluation of PHP code from standard input, which can be a powerful feature but also poses a significant risk if not properly sanitized. vendor phpunit phpunit src util php eval-stdin.php cve
http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Night had a way of pulling secrets out of code.
According to 2026 data from VulnCheck , this vulnerability is still actively targeted, with tens of thousands of exploitation attempts detected in short timeframes, proving that attackers haven't moved on from this easily exploitable flaw. What is CVE-2017-9841? Or simply block access to the entire /vendor/
PHPUnit introduced the eval-stdin.php file to handle test processing internally. The vulnerability stems from a single line of code in the file that was designed to read a stream and evaluate it as code: eval('?>' . file_get_contents('php://input')); Use code with caution. How the Exploit Works
As a defense-in-depth measure, explicitly block access to the vendor directory in your web server configuration. location /vendor deny all; return 404; Use code with caution. Summary Table: CVE-2017-9841 CVE ID CVE-2017-9841 Severity Critical (9.8) File Path vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php Vulnerable Versions < 4.8.28, < 5.6.3 Action Update PHPUnit & composer install --no-dev
can identify if this endpoint is publicly accessible on your domain. a specific server, or are you trying to if a site is currently vulnerable to this? CVE-2017-9841 Detail - NVD By ensuring that development tools are not part
If vulnerable, the server will execute system('id') and return the result to the attacker, giving them complete control over the web server user. Why is it Still Relevant in 2026?
in production:
An attacker sends an HTTP request to: