Input validation error in phpseclib - CVE-2023-52892
Published: April 29, 2025 / Updated: May 21, 2026
Vulnerability identifier: #VU108060
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-52892
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: phpseclib
Affected software:
phpseclib
phpseclib
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling some characters in Subject Alternative Name fields in TLS certificates. These fields are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.
How to mitigate CVE-2023-52892
Install updates from vendor's website.
Sources
- https://github.com/phpseclib/phpseclib/issues/1943
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.33
- https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbeaf4627
- https://github.com/x509-name-testing/name_testing_artifacts
- https://github.com/phpseclib/phpseclib/security/advisories/GHSA-wc6m-wcx7-q5p2