Description
phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355. This vulnerability is fixed in 1.0.29, 2.0.54, and 3.0.52.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to force phpseclib to process an improperly constructed ASN1 OID, causing memory exhaustion and a denial of service. It bypasses the mitigation added for CVE‑2024‑27355, and is classified as CWE‑400. Attackers can trigger the crash by supplying a crafted ASN1 file such as an X509 certificate or RSA key.

Affected Systems

Affected versions are all releases of phpseclib prior to 1.0.29, 2.0.54, and 3.0.52. If your application uses these older libraries, it is vulnerable. The vulnerability applies to the phpseclib::ASN1::decodeOID function across PHP codebases that import certificates or keys.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no widespread active exploitation yet. However, the flaw is exploitable over the network when an application trusts untrusted ASN1 data, so the likely attack vector is remote. Administrators should treat this as a high‑severity DoS risk until the library is updated.

Generated by OpenCVE AI on May 12, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update phpseclib to 1.0.29, 2.0.54, or 3.0.52 depending on your PHP version.
  • Verify that no untrusted ASN1 files are loaded before this update; restrict certificate or key inputs to trusted sources.
  • Temporarily disable or filter loading of untrusted ASN1 content until the library is upgraded.

Generated by OpenCVE AI on May 12, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3qpq-r242-jqj7 phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID()
History

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpseclib
Phpseclib phpseclib
Vendors & Products Phpseclib
Phpseclib phpseclib

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355. This vulnerability is fixed in 1.0.29, 2.0.54, and 3.0.52.
Title phpseclib: CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID()
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Phpseclib Phpseclib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T17:22:14.764Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44167

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:29.273

Modified: 2026-05-12T18:17:29.273

Link: CVE-2026-44167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses