Unauthenticated Remote Code Execution (RCE).
There is rarely a legitimate reason for a browser to directly request files inside the vendor/ folder. You should block public access to it entirely. If you see index of vendor phpunit phpunit
If you see index of vendor phpunit phpunit src util php evalstdinphp work in your logs or search results, treat it as a . The presence of an indexed directory containing eval-stdin.php means an attacker is just one HTTP request away from full server compromise.
If you discover this file on your production server, take the following mitigation steps immediately. 1. Update PHPUnit take the following mitigation steps immediately.
Explicitly deny public traffic from entering your vendor directory. For Apache ( .htaccess or httpd.conf ):
: This maps out the exact directory structure inside older versions of the PHPUnit testing package.