This vulnerability is officially tracked as (also known as the "PHPUnit RCE" vulnerability). It affects PHPUnit versions:
Older PHPUnit versions (pre-6.0) are still in use and contain the vulnerable file.
: If a web server's /vendor directory is exposed to the public internet, an attacker can send a POST request containing PHP code (starting with
When you see an "Index of" listing for a path like vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php , it usually means you're trying to access a specific file directly through a URL, but the server is listing the directory contents instead. index of vendor phpunit phpunit src util php eval-stdin.php
eval('?>' . file_get_contents('php://stdin'));
Here is a high-level overview of how the eval-stdin.php script works:
: This is a high-severity vulnerability (CVSS 9.8) because it requires no authentication and grants full control over the application context. Affected Versions This vulnerability is officially tracked as (also known
Never expose the vendor directory directly to the internet. Configure your web server (Apache .htaccess or Nginx config) to deny access to vendor entirely.
Ensure your web server configuration (Apache or Nginx) points directly to your application's public folder, making the vendor/ directory completely inaccessible from the browser.
This flaw allows unauthenticated attackers to execute arbitrary PHP code on a server. eval('
# On development/staging: composer install
Let’s decode the path: