[GHSA-qrr6-mg7r-m243] PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes

[sebastianbergmann]

Updates

• Affected products

Comments
As I configured in GHSA-qrr6-mg7r-m243, only the two versions 12.5.21 and 13.1.5 are affected. Not the version ranges (<= 12.5.21, >= 13.0.0, <= 13.1.5) you published here.

[github]

Hi there @sebastianbergmann! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[sebastianbergmann]

Hi there @sebastianbergmann! A community member has suggested an improvement to your security advisory.

The community member who suggested an improvement is me.

On GHSA-qrr6-mg7r-m243, I see the correct information:

On GHSA-qrr6-mg7r-m243, I see incorrect information:

Please correct the information and, if possible, explain how it was possible to publish incorrect information.

Thank you.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the OSV advisory for GHSA-qrr6-mg7r-m243 to reflect that only two discrete PHPUnit versions are affected (12.5.21 and 13.1.5), aligning with the upstream advisory clarification.

Changes:

• Narrowed the affected ranges to only include 12.5.21 (fixed in 12.5.22) and 13.1.5 (fixed in 13.1.6)
• Removed database_specific.last_known_affected_version_range entries
• Bumped the modified timestamp

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The change removes database_specific.last_known_affected_version_range entirely. If any downstream tooling/reporting in this repo relies on that field (even if optional in OSV), this will silently reduce the available metadata. Consider retaining database_specific but updating it to match the new intent (e.g., an exact range or an exact-version note), or verify consumers don’t depend on it before removing.