CVE-2026-41570: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in sebastianbergmann phpunit
CVE-2026-41570 is a high-severity vulnerability in PHPUnit versions 12. 5. 21 and 13. 1. 5 where PHP INI settings are forwarded to child processes without neutralizing metacharacters. This allows an attacker who can influence a single INI value to inject additional INI directives, including those that can lead to remote code execution. The vulnerability is due to improper neutralization of CRLF sequences, enabling injection of directives like auto_prepend_file. This issue has been patched in versions 12. 5. 22 and 13.
AI Analysis
Technical Summary
PHPUnit versions 12.5.21 and 13.1.5 forward PHP INI settings to child processes as -d name=value command-line arguments without properly neutralizing INI metacharacters such as newline characters. Because PHP's INI parser treats newlines as directive separators, an attacker able to control a single INI value can inject arbitrary additional INI directives. This includes critical directives like auto_prepend_file, which can be set to an attacker-controlled path, resulting in remote code execution within the child process. The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-88. It has a CVSS v3.1 score of 7.8 (high severity). The issue is fixed in PHPUnit versions 12.5.22 and 13.1.6.
Potential Impact
An attacker with the ability to influence a single PHP INI value in affected PHPUnit versions can inject arbitrary INI directives into child processes. This can lead to remote code execution by setting directives such as auto_prepend_file to malicious files. The vulnerability affects confidentiality, integrity, and availability of the affected system, as reflected by the CVSS score of 7.8. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available: users should upgrade PHPUnit to versions 12.5.22 or 13.1.6 or later. These versions properly neutralize INI metacharacters and prevent CRLF injection. Until upgraded, avoid running untrusted code or tests that could influence INI settings. Patch status is confirmed by the vendor advisory indicating the issue is resolved in the specified versions.
CVE-2026-41570: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in sebastianbergmann phpunit
Description
CVE-2026-41570 is a high-severity vulnerability in PHPUnit versions 12. 5. 21 and 13. 1. 5 where PHP INI settings are forwarded to child processes without neutralizing metacharacters. This allows an attacker who can influence a single INI value to inject additional INI directives, including those that can lead to remote code execution. The vulnerability is due to improper neutralization of CRLF sequences, enabling injection of directives like auto_prepend_file. This issue has been patched in versions 12. 5. 22 and 13.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PHPUnit versions 12.5.21 and 13.1.5 forward PHP INI settings to child processes as -d name=value command-line arguments without properly neutralizing INI metacharacters such as newline characters. Because PHP's INI parser treats newlines as directive separators, an attacker able to control a single INI value can inject arbitrary additional INI directives. This includes critical directives like auto_prepend_file, which can be set to an attacker-controlled path, resulting in remote code execution within the child process. The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-88. It has a CVSS v3.1 score of 7.8 (high severity). The issue is fixed in PHPUnit versions 12.5.22 and 13.1.6.
Potential Impact
An attacker with the ability to influence a single PHP INI value in affected PHPUnit versions can inject arbitrary INI directives into child processes. This can lead to remote code execution by setting directives such as auto_prepend_file to malicious files. The vulnerability affects confidentiality, integrity, and availability of the affected system, as reflected by the CVSS score of 7.8. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available: users should upgrade PHPUnit to versions 12.5.22 or 13.1.6 or later. These versions properly neutralize INI metacharacters and prevent CRLF injection. Until upgraded, avoid running untrusted code or tests that could influence INI settings. Patch status is confirmed by the vendor advisory indicating the issue is resolved in the specified versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-21T14:15:21.957Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fdf879cbff5d8610e2800b
Added to database: 5/8/2026, 2:51:37 PM
Last enriched: 5/8/2026, 3:06:28 PM
Last updated: 5/8/2026, 3:52:20 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.