The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php exploit is not a "zero-day" or a complex vulnerability; it is a self-inflicted wound caused by deploying development tools to production.
If you run composer install without --no-dev on a public server, you are effectively inviting attackers to execute any code they wish. The fix is simple: separate your build artifacts from your runtime environment. Use .gitignore for vendor/ on the build side, and never, ever let phpunit touch your production web root.
Before deploying any PHP application, ask yourself: Does every file in my vendor/ directory need to be directly accessible via HTTP? For eval-stdin.php, the answer is a resounding NO. vendor phpunit phpunit src util php eval-stdin.php exploit
The file in question is located at vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.
In affected versions (specifically PHPUnit < 4.8.28 and < 5.6.3), this file is designed to facilitate the execution of code sent via standard input, primarily used by the testing framework to run isolated tests. The core logic of the file is simple and dangerous: The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin
<?php
// Simplified representation of vulnerable code logic
eval('?' . '>' . file_get_contents('php://stdin'));
The script performs two actions:
Crucially, the file contains no logic to verify the source of the request. It does not check if the request is coming from a local CLI process (as intended) or from a remote HTTP client. The script performs two actions:
Let’s look at the actual source code of eval-stdin.php (simplified for clarity):
<?php
// Significant portions omitted for brevity, but the core logic is:
if (stream_get_contents(STDIN))
eval('?>' . stream_get_contents(STDIN));
The script reads anything sent to STDIN (standard input) and passes it directly to eval(). In a CLI (command-line interface) environment, this is safe because only authorized users have shell access. However, when this file is placed in a web-accessible directory, an attacker can use the php://input wrapper or a POST request body to supply the STDIN data.