CVE-2026-25129 is a vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting PsySH, a popular interactive PHP REPL and debugger. PsySH versions before 0.11.23 and between 0.12.0 and 0.12.19 automatically load and execute a .psysh.php configuration file from the current working directory (CWD) upon startup. This behavior introduces a security risk if an attacker can write a malicious .psysh.php file into a directory that a victim, especially a privileged user, later uses as their CWD when launching PsySH. Because the file is executed in the context of the user running PsySH, this can lead to arbitrary code execution and local privilege escalation if the user has elevated privileges (e.g., root, CI runners, or operations/debug accounts). The vulnerability extends to downstream consumers embedding PsySH, such as Laravel's Tinker console (invoked via php artisan tinker), which inherits the same risk. Exploitation requires the attacker to have write access to a directory that the victim will use as their CWD and for the victim to launch PsySH or Tinker from that directory, thus requiring local access and user interaction. The vulnerability is mitigated by upgrading PsySH to versions 0.11.23 or 0.12.19, which remove the automatic loading of .psysh.php from the CWD. The CVSS 3.1 score is 6.7 (medium), reflecting the local attack vector, required privileges, and user interaction, but high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk primarily in environments where PsySH or downstream tools like Laravel Tinker are used by privileged users. Development, operations, and continuous integration environments that run PHP applications and use PsySH for debugging or interactive shell access are at risk. If an attacker gains local write access to directories used by these users, they can escalate privileges, potentially compromising sensitive systems or data. This could lead to unauthorized access to critical infrastructure, data leakage, or disruption of services. Organizations with automated deployment pipelines or shared development environments are particularly vulnerable if directory permissions are not tightly controlled. The impact is heightened in sectors with strict data protection requirements, such as finance, healthcare, and government, where privilege escalation could lead to regulatory non-compliance and reputational damage.

European organizations should immediately upgrade PsySH to versions 0.11.23 or 0.12.19 or later to eliminate the automatic loading of .psysh.php from the CWD. Review and restrict directory permissions to prevent untrusted users from writing files into directories that privileged users might use as their CWD. Implement policies to avoid launching PsySH or Laravel Tinker from untrusted or writable directories, especially when running with elevated privileges. Employ monitoring to detect unexpected .psysh.php files in commonly used directories. In CI/CD environments, isolate build and debug environments to prevent directory poisoning. Educate developers and operations staff about the risks of running interactive shells in attacker-writable directories. Consider using containerization or sandboxing to limit the impact of potential local exploits. Regularly audit and update PHP development tools and dependencies to incorporate security patches promptly.