CVE-2026-24765 is a vulnerability in the PHPUnit testing framework affecting multiple versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52. The flaw exists in the cleanupForCoverage() method, which deserializes code coverage files (.coverage) without validating the serialized data or restricting allowed classes. Normally, .coverage files should not exist before PHPT test execution, but if an attacker can place a malicious serialized object file with a __wakeup() method into the expected location, PHPUnit will deserialize it during test runs with code coverage enabled, leading to arbitrary code execution. Exploitation requires local file write access, which can be achieved via compromised CI/CD pipeline runners, local development environments, or malicious dependencies. Instead of silently sanitizing input with allowed_classes restrictions, the maintainers now treat pre-existing .coverage files as an explicit error, alerting users to the anomaly. The vulnerability impacts confidentiality, integrity, and availability, as arbitrary code execution can lead to full system compromise. While no public exploits are known, the risk is significant in environments where PHPUnit is used with code coverage enabled and where attackers can write files locally. Mitigation includes upgrading to patched versions, securing CI/CD pipelines with ephemeral runners, enforcing strict access controls, isolating test artifacts, and implementing branch protections and code review policies to prevent malicious code injection.

For European organizations, this vulnerability poses a significant risk primarily in software development and continuous integration environments that utilize PHPUnit for PHP testing with code coverage enabled. Successful exploitation can lead to arbitrary code execution on build or test servers, potentially compromising sensitive source code, intellectual property, and credentials stored or accessible in these environments. This can cascade into broader network compromise if CI/CD infrastructure is interconnected with production systems. The impact extends to confidentiality (exposure of proprietary code and secrets), integrity (injection of malicious code or tampering with test results), and availability (disruption of build pipelines or deployment processes). Organizations relying heavily on automated testing and continuous delivery pipelines, especially those with less stringent access controls or shared runners, are at higher risk. The vulnerability also increases the attack surface for supply chain attacks, which are a growing concern in Europe’s software ecosystem. Failure to patch or mitigate could lead to reputational damage, regulatory scrutiny under GDPR if personal data is exposed, and operational disruptions.

1. Upgrade PHPUnit to versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, 8.5.52 or later where the vulnerability is fixed. 2. Configure CI/CD pipelines to use ephemeral runners or isolated environments that discard all artifacts and files after each run to prevent persistence of malicious .coverage files. 3. Enforce strict access controls on build and test servers to restrict who can write files to PHPUnit’s coverage directories. 4. Implement branch protection and mandatory code reviews to prevent injection of malicious test code or dependencies. 5. Isolate test artifacts and storage locations to prevent unauthorized file placement. 6. Monitor CI/CD logs and PHPUnit error messages for anomalous pre-existing .coverage file errors as indicators of attempted exploitation. 7. Regularly audit dependencies and development environments for unauthorized changes or suspicious files. 8. Educate development and DevOps teams about the risks of unsafe deserialization and secure testing practices. 9. Consider disabling code coverage instrumentation in environments where it is not strictly necessary. 10. Employ runtime application self-protection (RASP) or endpoint detection to detect unusual code execution during test runs.