CVE-2026-25129 Overview
CVE-2026-25129 is a CWD (Current Working Directory) configuration poisoning vulnerability affecting PsySH, a popular runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a .psysh.php file from the Current Working Directory on startup, creating a local privilege escalation attack vector.
If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. This is particularly dangerous when privileged users such as root, CI runners, or ops/debug accounts launch PsySH from attacker-writable directories.
Critical Impact
Local privilege escalation through CWD configuration poisoning allows attackers to execute arbitrary code with elevated privileges when privileged users run PsySH or downstream tools like Laravel Tinker from attacker-controlled directories.
Affected Products
- PsySH versions prior to 0.11.23
- PsySH versions prior to 0.12.19
- Downstream consumers embedding PsySH (e.g., Laravel Tinker via php artisan tinker)
Discovery Timeline
- 2026-01-30 - CVE CVE-2026-25129 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25129
Vulnerability Analysis
This vulnerability stems from PsySH's automatic configuration file loading behavior. When PsySH initializes, it searches for and automatically executes a .psysh.php configuration file located in the user's Current Working Directory. This design choice, while convenient for developer customization, creates a significant security risk in shared or multi-user environments.
The vulnerability is classified as CWE-427 (Uncontrolled Search Path Element), where the application searches for critical resources in locations that may be under attacker control. The local attack vector requires user interaction, as a victim must manually launch PsySH or a dependent tool while their shell is positioned in an attacker-writable directory.
The impact extends beyond standalone PsySH usage to downstream consumers that embed the library. Laravel Tinker, for example, leverages PsySH for its interactive shell functionality. When a privileged user executes php artisan tinker from an attacker-writable directory containing a malicious .psysh.php file, the auto-load behavior executes attacker-controlled code under the victim's privileges.
Root Cause
The root cause is PsySH's implicit trust of the Current Working Directory as a safe configuration source. The application lacks proper validation and security controls around loading executable configuration files from potentially untrusted locations. The design assumes the CWD is always under the legitimate user's control, which is not true in shared environments, temporary directories, or web application deployments.
Attack Vector
The attack requires local access with the ability to write files to a directory that a privileged user may later use as their working directory. Common attack scenarios include:
- Shared Development Environments: An attacker with low-privilege access places a malicious .psysh.php in a shared project directory or temporary folder
- CI/CD Pipelines: Compromised or malicious code in a repository includes a .psysh.php file that executes when CI runners invoke PsySH or Tinker
- Web Application Directories: An attacker who gains write access to a web directory (through another vulnerability) can poison the directory for subsequent privileged debugging sessions
The malicious .psysh.php file can contain arbitrary PHP code that executes with the permissions of the user launching PsySH, enabling privilege escalation, data exfiltration, or persistence mechanisms.
Detection Methods for CVE-2026-25129
Indicators of Compromise
- Unexpected .psysh.php files appearing in project directories, temporary folders, or web roots
- Anomalous process execution chains where PHP processes spawn unexpected child processes
- Unauthorized file modifications or new files created with elevated privileges after PsySH/Tinker usage
- Evidence of privilege escalation activities following developer debugging sessions
Detection Strategies
- Implement file integrity monitoring (FIM) to detect creation of .psysh.php files in sensitive directories
- Monitor for PsySH or php artisan tinker execution in unusual contexts or directories
- Review system logs for PHP processes running with elevated privileges that spawn unexpected commands
- Audit CI/CD pipeline configurations for unexpected configuration file loading
Monitoring Recommendations
- Configure SentinelOne to alert on .psysh.php file creation events in monitored directories
- Establish baseline behavior for PHP development tools and alert on deviations
- Monitor for command execution patterns indicative of privilege escalation post-exploitation
- Implement directory permission auditing to identify overly permissive shared directories
How to Mitigate CVE-2026-25129
Immediate Actions Required
- Upgrade PsySH to version 0.11.23 or 0.12.19 (or later) immediately
- Audit all projects and directories for unexpected .psysh.php files
- Review directory permissions to ensure privileged users don't have CWD set to attacker-writable locations when running PsySH
- Update Laravel and Tinker dependencies to pull in patched PsySH versions
Patch Information
The PsySH maintainers have released patched versions that address the CWD configuration poisoning vulnerability. Organizations should upgrade to the following versions:
- PsySH 0.11.x branch: Upgrade to version 0.11.23 or later (GitHub Release v0.11.23)
- PsySH 0.12.x branch: Upgrade to version 0.12.19 or later (GitHub Release v0.12.19)
For full technical details, refer to the GitHub Security Advisory GHSA-4486.
Workarounds
- Avoid running PsySH or Laravel Tinker with elevated privileges from shared or untrusted directories
- Implement directory whitelisting policies that prevent execution of development tools from common attacker-writable paths (e.g., /tmp, /var/tmp)
- Use explicit configuration file paths instead of relying on auto-discovery mechanisms
- Restrict write access to project directories to authorized personnel only
# Configuration example - Check for and remove suspicious .psysh.php files
find /var/www -name ".psysh.php" -type f -exec ls -la {} \;
# Remove unauthorized configuration files
find /var/www -name ".psysh.php" -type f -exec rm -i {} \;
# Set restrictive permissions on project directories
chmod 755 /var/www/your-project
chown root:developers /var/www/your-project
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
