CVE-2026-24765 is a deserialization vulnerability classified under CWE-502 affecting multiple versions of the PHPUnit PHP testing framework prior to versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files (.coverage) during PHPT test execution without validating the serialized data or restricting allowed classes. Normally, .coverage files should not exist before test execution; however, if an attacker can place a malicious serialized object containing a __wakeup() method in such a file, PHPUnit will deserialize it, triggering arbitrary code execution. Exploitation requires local file write access to the directory where PHPUnit stores or expects these coverage files, which can be achieved via compromised CI/CD pipelines, local development environments, or malicious dependencies. Instead of silently sanitizing input, the maintainers chose to treat pre-existing .coverage files as an error condition in patched versions, alerting users to the anomaly. This vulnerability can lead to full compromise of the testing environment and potentially the underlying system if the test environment has elevated privileges. The vulnerability has a CVSS 3.1 base score of 7.8, indicating high severity, with attack vector local, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the risk is significant in environments with lax CI/CD security or shared development infrastructure.

For European organizations, this vulnerability poses a significant risk primarily in development and CI/CD environments where PHPUnit is used for PHP application testing. Successful exploitation could lead to arbitrary code execution, allowing attackers to execute malicious payloads, potentially compromising build servers, injecting backdoors into software artifacts, or pivoting to other parts of the network. This can disrupt software development lifecycles, cause supply chain contamination, and lead to data breaches or service outages. Organizations relying heavily on PHP and PHPUnit, especially those with automated testing pipelines that do not isolate runners or enforce strict access controls, are at heightened risk. The impact extends beyond development environments if compromised artifacts are deployed to production. Given the widespread use of PHP in European web applications and the increasing adoption of CI/CD pipelines, the vulnerability could affect a broad range of sectors including finance, government, and technology. The lack of required user interaction and the ability to exploit with low privileges but local file write access increases the risk in multi-tenant or shared infrastructure environments.

1. Upgrade PHPUnit to the fixed versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, or 8.5.52 or later to ensure the vulnerability is patched. 2. Enforce strict access controls on CI/CD runners and development environments to prevent unauthorized local file writes, including using ephemeral runners that are destroyed after each build. 3. Implement artifact isolation and scanning to detect anomalous or pre-existing .coverage files before test execution. 4. Use branch protection and code review policies to prevent injection of malicious code or dependencies that could write to coverage files. 5. Monitor CI/CD logs and PHPUnit error messages for indications of anomalous .coverage files or deserialization errors. 6. Restrict permissions on directories where PHPUnit stores coverage files to trusted users only. 7. Educate development teams about the risks of insecure deserialization and the importance of secure CI/CD pipeline configuration. 8. Consider additional runtime protections such as containerization or sandboxing of test environments to limit impact of potential code execution.