phpseclib CVE-2026-44167
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
Anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc)
Patches
https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc
Workarounds
No.
References
https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc
AnalysisAI
Denial of service attacks against PHP applications using phpseclib can be triggered by providing maliciously crafted ASN.1 encoded files containing oversized Object Identifiers. The vulnerability bypasses a previous CVE-2024-27355 mitigation, allowing OID amplification attacks that exhaust server resources when processing untrusted X.509 certificates, PKCS8 keys, or other ASN.1 structures. Vendor-released patches are available across all affected major versions (1.x, 2.x, 3.x). CVSS 7.5 indicates network-exploitable, unauthenticated denial of service with no public exploit identified at time of analysis.
Technical ContextAI
phpseclib is a pure PHP implementation of cryptographic protocols and file formats, widely used in PHP applications for processing X.509 certificates, SSH keys, and other ASN.1-encoded structures. This vulnerability (CWE-400: Uncontrolled Resource Consumption) resides in the ASN1::decodeOID() function which decodes Object Identifiers in ASN.1 DER/BER encoded data. The issue is a mitigation bypass of CVE-2024-27355-the original fix limited OID size to 4096 bytes, but attackers can still trigger resource exhaustion through amplification attacks at that threshold. The patch further reduces the limit to 128 bytes, preventing the amplification vector while maintaining compatibility with legitimate OID usage. This affects all applications using phpseclib to parse untrusted cryptographic material, particularly web applications handling certificate uploads, API key validation, or PKI operations.
RemediationAI
Upgrade phpseclib immediately to the patched versions: 1.0.29 for 1.x branch, 2.0.54 for 2.x branch, or 3.0.52 for 3.x branch. The fix is available via Composer package manager and documented in commit d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc which reduces the OID size limit from 4096 to 128 bytes. No workarounds are available according to the vendor advisory. If immediate patching is not feasible, implement strict input validation to reject ASN.1 files before they reach phpseclib parsing functions-specifically, enforce maximum file size limits (under 10KB for typical certificates) and implement request rate limiting on endpoints accepting cryptographic file uploads. Note that file size limiting alone may not prevent the attack if the malicious OID is embedded in an otherwise small file, so this is a compensating control only and patching remains the primary remediation. Verify patch application by confirming the ASN1.php file contains the 128-byte limit check. Advisory URL: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-3qpq-r242-jqj7.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3qpq-r242-jqj7