QwikSec

Security Database

CVE

CWE

Training

CVE-2025-21617

Published: Jan 6, 2025

Modified: Jan 6, 2025

PUBLISHED

Description

Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1.

Vendor	Product	Versions
guzzle	oauth-subscriber	affected `< 0.8.1`

Weaknesses (CWE)

References

https://github.com/guzzle/oauth-subscriber/security/advisories/GHSA-237r-r8m4-4q88

x_refsource_CONFIRM

https://github.com/guzzle/oauth-subscriber/commit/92b619b03bd21396e51c62e6bce83467d2ce8f53

x_refsource_MISC

https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192

x_refsource_MISC

https://github.com/guzzle/oauth-subscriber/releases/tag/0.8.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.