Security Advisories - phpseclib/phpseclib - Packagist.org

phpseclib/phpseclib Security Advisories for 3.0.47 (3)

[HIGH] phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID()

PKSA-smrh-yx37-92ws CVE-2026-44167 GHSA-3qpq-r242-jqj7

Affected version: >=0.1.1,<=1.0.28|>=3.0.0,<=3.0.51|>=2.0.0,<=2.0.53

Reported by:
GitHub
[LOW] phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()

PKSA-zh4j-by9m-7mz8 CVE-2026-40194 GHSA-r854-jrxh-36qx

Affected version: >=0.1.1,<1.0.28|>=3.0.0,<3.0.51|>=2.0.0,<2.0.53

Reported by:
GitHub
[HIGH] phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack

PKSA-km2b-zc3b-mjm3 CVE-2026-32935 GHSA-94g3-g5v7-q4jg

Affected version: >=0.1.1,<=1.0.26|>=2.0.0,<=2.0.51|>=3.0.0,<=3.0.49

Reported by:
GitHub