SB2025042950 - Spoofing attack in phpseclib
Published: April 29, 2025 Updated: May 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2023-52892)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling some characters in Subject Alternative Name fields in TLS certificates. These fields are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.
Remediation
Install update from vendor's website.
References
- https://github.com/phpseclib/phpseclib/issues/1943
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.33
- https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbeaf4627
- https://github.com/x509-name-testing/name_testing_artifacts
- https://github.com/phpseclib/phpseclib/security/advisories/GHSA-wc6m-wcx7-q5p2