CVE-2026-24765 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the PHPUnit testing framework for PHP. The flaw exists in the `cleanupForCoverage()` method, which deserializes code coverage files (.coverage) without validating or restricting the classes allowed during deserialization. Normally, .coverage files should not exist before PHPT test execution; however, if an attacker can place a malicious serialized object file with a crafted `__wakeup()` method in the expected location, PHPUnit will deserialize it during test runs with code coverage enabled. This leads to arbitrary code execution within the context of the test runner. Exploitation requires local file write access, which can be achieved through compromised CI/CD pipelines, local developer environments, or malicious dependencies. Instead of silently sanitizing input, the maintainers have updated PHPUnit in versions 12.5.8, 11.5.50, 10.5.62, and 9.6.33 to treat the presence of pre-existing .coverage files as an explicit error, preventing silent exploitation. The vulnerability affects multiple major PHPUnit versions prior to the specified patched releases. Although no known exploits are reported in the wild, the risk is significant due to the potential for remote code execution and the common use of PHPUnit in development and CI/CD workflows.

For European organizations, this vulnerability poses a significant risk primarily in development, testing, and CI/CD environments where PHPUnit is used. Successful exploitation can lead to arbitrary code execution, potentially allowing attackers to compromise build servers, inject malicious code into software artifacts, or pivot into internal networks. This can result in intellectual property theft, supply chain attacks, and disruption of software delivery pipelines. Organizations relying heavily on automated testing and continuous integration with PHPUnit are particularly vulnerable. The impact extends beyond confidentiality to integrity and availability, as attackers may alter codebases or disrupt development workflows. Given the widespread use of PHP and PHPUnit in European software development, especially in countries with strong IT sectors, the threat could affect a broad range of industries including finance, manufacturing, and government services. The requirement for local file write access limits remote exploitation but does not eliminate risk, as CI/CD environments often run code from multiple sources and may be targeted via compromised dependencies or insider threats.

1. Upgrade PHPUnit to the fixed versions: 12.5.8, 11.5.50, 10.5.62, 9.6.33, or later. 2. Enforce strict access controls on CI/CD runners and build environments to prevent unauthorized file writes, especially to directories used for code coverage files. 3. Use ephemeral CI/CD runners that are destroyed after each build to avoid persistent malicious files. 4. Implement branch protection and code review policies to reduce risk of malicious code or dependencies entering the pipeline. 5. Isolate build artifacts and restrict artifact sharing to trusted sources only. 6. Monitor for unexpected .coverage files prior to test execution and configure alerting on anomalous file presence. 7. Regularly audit and harden developer workstations and build servers to prevent local compromise. 8. Consider disabling code coverage instrumentation in environments where it is not strictly necessary. 9. Educate development teams about the risks of deserialization vulnerabilities and secure coding/testing practices. 10. Integrate security scanning tools to detect vulnerable PHPUnit versions and unsafe deserialization patterns in code.