Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Steps to reproduce
Run composer audit
You'll see the phpseclib/phpseclib package as a dependency with vulnerable version
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | high |
| CVE | CVE-2024-27354 |
| Title | phpseclib a large prime can cause a denial of service |
| URL | https://github.com/advisories/GHSA-hg35-mp25-qf6h |
| Affected versions | >=3.0.0,<3.0.36|>=2.0.0,<2.0.47|>=1.0.0,<1.0.23 |
| Reported at | 2024-03-02T00:31:33+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | high |
| CVE | CVE-2024-27355 |
| Title | phpseclib does not properly limit the ASN1 OID length |
| URL | https://github.com/advisories/GHSA-jr22-8qgm-4q87 |
| Affected versions | >=3.0.0,<3.0.36|>=2.0.0,<2.0.47|>=1.0.0,<1.0.23 |
| Reported at | 2024-03-02T00:31:33+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Proposed resolution
Update composer to use newer version of the phpseclib/phpseclib library eg.: ^3.0.36
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | fix-dependency-to-vulnerable-phpseclib-package.patch | 304 bytes | endrukk |
Comments
Comment #2
endrukk commentedComment #3
endrukk commentedHere is a patch that requires a higher version of the dependency.
Comment #4
endrukk commentedComment #6
john franklin commentedFixed, thanks for the patch!
Comment #7
john franklin commented