Intel

AIKIDO-2026-862723

nikic/php-parser is vulnerable to Code Injection

Code Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

PHPnikic/php-parser
5.6.0 - 5.7.0
Fixed in 5.8.0
Are you affected? Scan for Free

TL;DR

The ConstExprEvaluator component evaluates constant expressions extracted from parsed PHP code into PHP values. When an expression contains the pipe operator (|>), the evaluator resolves the right-hand operand and invokes it as a callable with the left-hand value, so an expression such as "id" |> "shell_exec" executes the named function. Applications that run the evaluator over untrusted or attacker-influenced PHP source can be induced to call arbitrary functions during constant-expression evaluation. The fix removes direct handling of the pipe operator and routes it to the fallback evaluator, which does not invoke callables.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and evaluate untrusted or user-supplied PHP expressions with the constant expression evaluator.

Background info

nikic/php-parser is vulnerable to Code Injection in versions 5.6.0 - 5.7.0.

How to fix this

Upgrade the nikic/php-parser library to the patch version.