PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe d…

PHPUnit testing framework for PHP contains a vulnerability in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data. The vulnerability exists in the cleanupForCoverage() method which deserializes code coverage files without validation. An attacker with local file write access can place malicious serialized objects with __wakeup() methods to achieve arbitrary code execution during test runs with code coverage enabled. The vulnerability can be exploited through CI/CD pipeline attacks, compromised local environments, or malicious dependencies. Fixed versions now emit error messages when pre-existing .coverage files are detected before PHPT test execution.