FKIE_CVE-2026-25129

Vulnerability from fkie_nvd - Published: 2026-01-30 21:15 - Updated: 2026-02-27 20:36
Severity ?
6.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user’s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim’s privileges. Versions 0.11.23 and 0.12.19 patch the issue.
References
security-advisories@github.comhttps://github.com/bobthecow/psysh/releases/tag/v0.11.23Product, Release Notes
security-advisories@github.comhttps://github.com/bobthecow/psysh/releases/tag/v0.12.19Product, Release Notes
security-advisories@github.comhttps://github.com/bobthecow/psysh/security/advisories/GHSA-4486-gxhx-5mg7Exploit, Vendor Advisory
Impacted products
Vendor Product Version
psysh psysh *
psysh psysh *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:psysh:psysh:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC5AF0E5-64F3-41E5-9702-1F5A6EF1E022",
              "versionEndExcluding": "0.11.23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:psysh:psysh:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "767A36BE-AA1A-4E8D-B292-32B8250DCC9D",
              "versionEndExcluding": "0.12.19",
              "versionStartIncluding": "0.12.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim\u0027s context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user\u2019s context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user\u2019s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim\u2019s privileges. Versions 0.11.23 and 0.12.19 patch the issue."
    },
    {
      "lang": "es",
      "value": "PsySH es una consola de desarrollador en tiempo de ejecuci\u00f3n, depurador interactivo y REPL para PHP. Antes de las versiones 0.11.23 y 0.12.19, PsySH carga y ejecuta autom\u00e1ticamente un archivo \u0027.psysh.php\u0027 desde el Directorio de Trabajo Actual (CWD) al inicio. Si un atacante puede escribir en un directorio que una v\u00edctima usa posteriormente como su CWD al iniciar PsySH, el atacante puede desencadenar la ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto de la v\u00edctima. Cuando la v\u00edctima ejecuta PsySH con grandes privilegios (por ejemplo, root), esto resulta en una escalada de privilegios local. Este es un problema de envenenamiento de la configuraci\u00f3n del CWD que conduce a la ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto del usuario v\u00edctima. Si un usuario privilegiado (por ejemplo, root, un ejecutor de CI o una cuenta de operaciones/depuraci\u00f3n) inicia PsySH con el CWD configurado en un directorio escribible por el atacante que contiene un \u0027.psysh.php\u0027 malicioso, el atacante puede ejecutar comandos con los permisos de ese usuario privilegiado, lo que resulta en una escalada de privilegios local. Los consumidores posteriores que incrustan PsySH heredan este riesgo. Por ejemplo, Laravel Tinker (php artisan tinker) usa PsySH. Si un usuario privilegiado ejecuta Tinker mientras su shell est\u00e1 en un directorio escribible por el atacante, el comportamiento de carga autom\u00e1tica del \u0027.psysh.php\u0027 puede ser abusado de la misma manera para ejecutar c\u00f3digo controlado por el atacante bajo los privilegios de la v\u00edctima. Las versiones 0.11.23 y 0.12.19 resuelven el problema."
    }
  ],
  "id": "CVE-2026-25129",
  "lastModified": "2026-02-27T20:36:55.680",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-30T21:15:58.260",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/bobthecow/psysh/releases/tag/v0.11.23"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/bobthecow/psysh/releases/tag/v0.12.19"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/bobthecow/psysh/security/advisories/GHSA-4486-gxhx-5mg7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-427"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.