CVE-2017-9841

Name: CVE-2017-9841
Creator: NVD / NIST
Published: 2017-06-27T17:29:00.177+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10Actively Exploited

Last modified Jun 17, 2026

CVE-2017-9841 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.. CISA has confirmed active exploitation in the wild.

Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Aug 15, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Phpunit Project	Phpunit	<= 4.8.27
Phpunit Project	Phpunit	>= 5.0.0, < 5.6.3
Oracle	Communications Diameter Signaling Router	>= 8.0.0, <= 8.5.0

References

http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/Third Party Advisory
http://www.securityfocus.com/bid/101798Broken Link
http://www.securitytracker.com/id/1039812Broken Link
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5Patch, Third Party Advisory
https://github.com/sebastianbergmann/phpunit/pull/1956Patch, Third Party Advisory
https://security.gentoo.org/glsa/201711-15Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/Third Party Advisory
http://www.securityfocus.com/bid/101798Broken Link
http://www.securitytracker.com/id/1039812Broken Link
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5Patch, Third Party Advisory
https://github.com/sebastianbergmann/phpunit/pull/1956Patch, Third Party Advisory
https://security.gentoo.org/glsa/201711-15Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9841US Government Resource

Timeline

Published: Jun 27, 2017
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2017-9841?

How severe is CVE-2017-9841?

CVE-2017-9841 has a CVSS score of 9.8/10 (CRITICAL severity). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2017-9841?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-9841?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST