CVE-2026-24765

Proposed Remediation Approach

Rather than just silently sanitizing the input via ['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing .coverage files for PHPT tests as an error condition.

Rationale for Error-Based Approach:

1. Visibility Over Silence: When an invariant is violated (a .coverage file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input
2. Operational Security: A .coverage file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:
   • A malicious actor placed it intentionally
   • Build artifacts from a previous run contaminated the environment
   • An unexpected filesystem state requiring investigation
3. Defense-in-Depth Principle: Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:
   • Isolate CI/CD runners (ephemeral, containerized environments)
   • Restrict code execution on protected branches
   • Scan pull requests and artifacts for tampering
   • Use branch protection rules to prevent unreviewed code execution

Severity Classification

• Attack Vector (AV): Local (L) — requires write access to the file system where tests execute
• Attack Complexity (AC): Low (L) — exploitation is straightforward once the malicious file is placed
• Privileges Required (PR): Low (L) — PR submitter status or contributor role provides sufficient access
• User Interaction (UI): None (N) — automatic execution during standard test execution
• Scope (S): Unchanged (U) — impact remains within the affected test execution context
• Confidentiality Impact (C): High (H) — full remote code execution enables complete system compromise
• Integrity Impact (I): High (H) — arbitrary code execution allows malicious modifications
• Availability Impact (A): High (H) — full code execution permits denial-of-service actions

Mitigating Factors (Environmental Context)

Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:

• Ephemeral Runners: Use containerized, single-use CI/CD runners that discard filesystem state between runs
• Code Review Enforcement: Require human review and approval before executing code from pull requests
• Branch Protection: Enforce branch protection rules that block unreviewed code execution
• Artifact Isolation: Separate build artifacts from source; never reuse artifacts across independent builds
• Access Control: Limit file write permissions in CI environments to authenticated, trusted actors

Fixed Behaviour

When a .coverage file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:

• Visibility: The error appears prominently in CI/CD output and test logs
• Investigation: Operations teams can investigate the root cause (potential tampering, environment contamination)
• Fail-Fast Semantics: Test execution stops rather than proceeding with an unexpected state

Recommendation

Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:

• Pull requests from forks or untrusted sources execute in isolated environments
• Branch protection rules require human review before code execution
• CI/CD runners are ephemeral and discarded after each build
• Build artifacts are not reused across independent runs without validation