Skip to content

laravel/tinker-v2.7.2: 1 vulnerabilities (highest severity is: 6.7) #55

New issue
New issue
Open
Open
laravel/tinker-v2.7.2: 1 vulnerabilities (highest severity is: 6.7)#55
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Feb 1, 2026
Vulnerable Library - laravel/tinker-v2.7.2

Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (laravel/tinker-v2.7.2 version) Remediation Possible**
CVE-2026-25129 Medium 6.7 psy/psysh-v0.11.8 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-25129

Vulnerable Library - psy/psysh-v0.11.8

An interactive shell for modern PHP.

Library home page: https://api.github.com/repos/bobthecow/psysh/zipball/f455acf3645262ae389b10e9beba0c358aa6994e

Dependency Hierarchy:

  • laravel/tinker-v2.7.2 (Root Library)
    • psy/psysh-v0.11.8 (Vulnerable Library)

Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669

Found in base branch: develop

Vulnerability Details

PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a ".psysh.php" file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious ".psysh.php", the attacker can execute commands with that privileged user’s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker ("php artisan tinker") uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the ".psysh.php" auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim’s privileges. Versions 0.11.23 and 0.12.19 patch the issue.

Publish Date: 2026-01-30

URL: CVE-2026-25129

CVSS 3 Score Details (6.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4486-gxhx-5mg7

Release Date: 2026-01-30

Fix Resolution: psy/psysh - v0.12.19,psy/psysh - v0.11.23

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions