This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [phpunit/phpunit](https://phpunit.de/) ([source](https://redirect.github.com/sebastianbergmann/phpunit)) | `11.5.46` → `11.5.50` | ![age](https://developer.mend.io/api/mc/badges/age/packagist/phpunit%2fphpunit/11.5.50?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/packagist/phpunit%2fphpunit/11.5.46/11.5.50?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2026-24765](https://redirect.github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p) ### Overview A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. ### Technical Details **Affected Component:** PHPT test runner, method `cleanupForCoverage()` **Affected Versions:** <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7 ### Vulnerable Code Pattern ```php if ($buffer !== false) { // Unsafe call without restrictions $coverage = @unserialize($buffer); } ``` The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. ### Attack Prerequisites and Constraints This vulnerability requires **local file write access** to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through: * **CI/CD Pipeline Attacks:** A malicious pull request that places a `.coverage` file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information * **Local Development Environment:** An attacker with shell access or ability to write files to the project directory * **Compromised Dependencies:** A supply chain attack inserting malicious files into a package or monorepo **Critical Context:** Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of [Poisoned Pipeline Execution (PPE) attacks](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution) affecting CI/CD systems. ### Proposed Remediation Approach Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. #### Rationale for Error-Based Approach: 1. **Visibility Over Silence:** When an invariant is violated (a `.coverage` file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input 2. **Operational Security:** A `.coverage` file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates: * A malicious actor placed it intentionally * Build artifacts from a previous run contaminated the environment * An unexpected filesystem state requiring investigation 3. **Defense-in-Depth Principle:** Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope: * Isolate CI/CD runners (ephemeral, containerized environments) * Restrict code execution on protected branches * Scan pull requests and artifacts for tampering * Use branch protection rules to prevent unreviewed code execution ### Severity Classification * **Attack Vector (AV):** Local (L) — requires write access to the file system where tests execute * **Attack Complexity (AC):** Low (L) — exploitation is straightforward once the malicious file is placed * **Privileges Required (PR):** Low (L) — PR submitter status or contributor role provides sufficient access * **User Interaction (UI):** None (N) — automatic execution during standard test execution * **Scope (S):** Unchanged (U) — impact remains within the affected test execution context * **Confidentiality Impact (C):** High (H) — full remote code execution enables complete system compromise * **Integrity Impact (I):** High (H) — arbitrary code execution allows malicious modifications * **Availability Impact (A):** High (H) — full code execution permits denial-of-service actions ### Mitigating Factors (Environmental Context) Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration: * **Ephemeral Runners:** Use containerized, single-use CI/CD runners that discard filesystem state between runs * **Code Review Enforcement:** Require human review and approval before executing code from pull requests * **Branch Protection:** Enforce branch protection rules that block unreviewed code execution * **Artifact Isolation:** Separate build artifacts from source; never reuse artifacts across independent builds * **Access Control:** Limit file write permissions in CI environments to authenticated, trusted actors ### Fixed Behaviour When a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures: * **Visibility:** The error appears prominently in CI/CD output and test logs * **Investigation:** Operations teams can investigate the root cause (potential tampering, environment contamination) * **Fail-Fast Semantics:** Test execution stops rather than proceeding with an unexpected state ### Recommendation **Update to the patched version immediately** if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure: * Pull requests from forks or untrusted sources execute in isolated environments * Branch protection rules require human review before code execution * CI/CD runners are ephemeral and discarded after each build * Build artifacts are not reused across independent runs without validation --- ### Release Notes <details> <summary>sebastianbergmann/phpunit (phpunit/phpunit)</summary> ### [`v11.5.50`](https://redirect.github.com/sebastianbergmann/phpunit/releases/tag/11.5.50): PHPUnit 11.5.50 [Compare Source](https://redirect.github.com/sebastianbergmann/phpunit/compare/11.5.49...11.5.50) ##### Changed - To prevent Poisoned Pipeline Execution (PPE) attacks using prepared `.coverage` files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs *** Learn how to install or update PHPUnit 11.5 in the [documentation](https://docs.phpunit.de/en/11.5/installation.html). ##### Keep up to date with PHPUnit: - You can follow [@phpunit@phpc.social](https://phpc.social/@phpunit) to stay up to date with PHPUnit's development. - You can subscribe to the [PHPUnit Updates](https://phpunit.de/newsletter) newsletter to receive updates about and tips for PHPUnit. ### [`v11.5.49`](https://redirect.github.com/sebastianbergmann/phpunit/releases/tag/11.5.49): PHPUnit 11.5.49 [Compare Source](https://redirect.github.com/sebastianbergmann/phpunit/compare/11.5.48...11.5.49) ##### Fixed - [#6362](https://redirect.github.com/sebastianbergmann/phpunit/issues/6362): Manually instantiated test doubles are broken since PHPUnit 11.2 - [#6470](https://redirect.github.com/sebastianbergmann/phpunit/issues/6470): Infinite recursion in `Count::getCountOf()` for unusal implementations of `Iterator` or `IteratorAggregate` *** Learn how to install or update PHPUnit 11.5 in the [documentation](https://docs.phpunit.de/en/11.5/installation.html). ##### Keep up to date with PHPUnit: - You can follow [@phpunit@phpc.social](https://phpc.social/@phpunit) to stay up to date with PHPUnit's development. - You can subscribe to the [PHPUnit Updates](https://phpunit.de/newsletter) newsletter to receive updates about and tips for PHPUnit. ### [`v11.5.48`](https://redirect.github.com/sebastianbergmann/phpunit/releases/tag/11.5.48): PHPUnit 11.5.48 [Compare Source](https://redirect.github.com/sebastianbergmann/phpunit/compare/11.5.47...11.5.48) ##### Changed - Reverted a change that caused a [build failure](https://redirect.github.com/php/php-src/actions/runs/21052584327/job/60542023395#step:14:3729) for the [PHP project's nightly community job](https://phpunit.expert/articles/how-php-and-its-ecosystem-test-each-other.html?ref=github) *** Learn how to install or update PHPUnit 11.5 in the [documentation](https://docs.phpunit.de/en/11.5/installation.html). ##### Keep up to date with PHPUnit: - You can follow [@phpunit@phpc.social](https://phpc.social/@phpunit) to stay up to date with PHPUnit's development. - You can subscribe to the [PHPUnit Updates](https://phpunit.de/newsletter) newsletter to receive updates about and tips for PHPUnit. ### [`v11.5.47`](https://redirect.github.com/sebastianbergmann/phpunit/releases/tag/11.5.47): PHPUnit 11.5.47 [Compare Source](https://redirect.github.com/sebastianbergmann/phpunit/compare/11.5.46...11.5.47) ##### Fixed - [#6470](https://redirect.github.com/sebastianbergmann/phpunit/issues/6470): Mocking a class with a property hook setter accepting more types than the property results in a fatal error *** Learn how to install or update PHPUnit 11.5 in the [documentation](https://docs.phpunit.de/en/11.5/installation.html). ##### Keep up to date with PHPUnit: - You can follow [@phpunit@phpc.social](https://phpc.social/@phpunit) to stay up to date with PHPUnit's development. - You can subscribe to the [PHPUnit Updates](https://phpunit.de/newsletter) newsletter to receive updates about and tips for PHPUnit. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Lendable/message).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>