CVE-2026-25129: PsySH has Local Privilege Escalation via CWD .psysh.php auto-load

January 30, 2026 (updated January 31, 2026)

PsySH automatically loads and executes a .psysh.php file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim’s context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation.

References

github.com/advisories/GHSA-4486-gxhx-5mg7
github.com/bobthecow/psysh
github.com/bobthecow/psysh/releases/tag/v0.11.23
github.com/bobthecow/psysh/releases/tag/v0.12.19
github.com/bobthecow/psysh/security/advisories/GHSA-4486-gxhx-5mg7
nvd.nist.gov/vuln/detail/CVE-2026-25129

Code Behaviors & Features

Detect and mitigate CVE-2026-25129 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →