By using php://input , the script allowed an attacker to send an HTTP POST request containing raw PHP code (beginning with a
If the server misinterprets php://stdin (in a CGI/FastCGI setup), it may read the POST body — leading to .
An attacker does not need credentials or a valid user session to exploit this flaw. They simply send an directly to the exposed eval-stdin.php URI.
/home/project/ vendor/ public/ index.php assets/ By using php://input , the script allowed an
However, a common mistake is running composer install --no-dev (correct) vs composer install (incorrect) on the production server. If --no-dev is omitted, Composer installs everything , including testing frameworks and utility scripts like eval-stdin.php , into the live vendor folder.
An index of /vendor/ listing is a goldmine for attackers. Even if eval-stdin.php is not present or patched, the directory listing reveals:
A: Deleting the file is a valid workaround, but it is not a permanent fix. A future Composer update (e.g., composer update ) may restore the file. The proper solution is to remove PHPUnit entirely from production or update to a patched version. /home/project/ vendor/ public/ index
<?php // eval-stdin.php (Vulnerable versions) eval('?>'.file_get_contents('php://stdin'));
Add this rule to your server configuration file: location ~ /vendor/ deny all; return 404; Use code with caution. Step 4: Move the Web Root
Once they see the file exists, they can exploit it immediately. Even if eval-stdin
If you're unsure if you've been compromised, check your server logs for POST requests to eval-stdin.php . If you've found this article because you saw these requests, update your composer.lock and block the access path immediately.
The eval-stdin.php file uses an insecure eval() function call that executes input received via php://stdin (intended for command-line use) but can be reached via HTTP POST requests in web-accessible environments.
You can safely test your own server using a curl command to see if it executes code:
: A highly dangerous PHP function that executes any string passed to it as actual PHP code.
: The script reads the raw POST body of a request.