Skip to main content

phpseclib CVE-2026-44167

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-05 https://github.com/phpseclib/phpseclib GHSA-3qpq-r242-jqj7
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:46 vuln.today
Analysis Generated
May 05, 2026 - 21:46 vuln.today

DescriptionGitHub Advisory

Impact

Anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc)

Patches

https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc

Workarounds

No.

References

https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc

AnalysisAI

Denial of service attacks against PHP applications using phpseclib can be triggered by providing maliciously crafted ASN.1 encoded files containing oversized Object Identifiers. The vulnerability bypasses a previous CVE-2024-27355 mitigation, allowing OID amplification attacks that exhaust server resources when processing untrusted X.509 certificates, PKCS8 keys, or other ASN.1 structures. Vendor-released patches are available across all affected major versions (1.x, 2.x, 3.x). CVSS 7.5 indicates network-exploitable, unauthenticated denial of service with no public exploit identified at time of analysis.

Technical ContextAI

phpseclib is a pure PHP implementation of cryptographic protocols and file formats, widely used in PHP applications for processing X.509 certificates, SSH keys, and other ASN.1-encoded structures. This vulnerability (CWE-400: Uncontrolled Resource Consumption) resides in the ASN1::decodeOID() function which decodes Object Identifiers in ASN.1 DER/BER encoded data. The issue is a mitigation bypass of CVE-2024-27355-the original fix limited OID size to 4096 bytes, but attackers can still trigger resource exhaustion through amplification attacks at that threshold. The patch further reduces the limit to 128 bytes, preventing the amplification vector while maintaining compatibility with legitimate OID usage. This affects all applications using phpseclib to parse untrusted cryptographic material, particularly web applications handling certificate uploads, API key validation, or PKI operations.

RemediationAI

Upgrade phpseclib immediately to the patched versions: 1.0.29 for 1.x branch, 2.0.54 for 2.x branch, or 3.0.52 for 3.x branch. The fix is available via Composer package manager and documented in commit d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc which reduces the OID size limit from 4096 to 128 bytes. No workarounds are available according to the vendor advisory. If immediate patching is not feasible, implement strict input validation to reject ASN.1 files before they reach phpseclib parsing functions-specifically, enforce maximum file size limits (under 10KB for typical certificates) and implement request rate limiting on endpoints accepting cryptographic file uploads. Note that file size limiting alone may not prevent the attack if the malicious OID is embedded in an otherwise small file, so this is a compensating control only and patching remains the primary remediation. Verify patch application by confirming the ASN1.php file contains the 128-byte limit check. Advisory URL: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-3qpq-r242-jqj7.

Share

CVE-2026-44167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy