DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2023-49316: CVE-2023-49316: Denial of Service via Unbounded Degree in phpseclib Binary Finite Fields

#security #cve #cybersecurity

CVE-2023-49316: Denial of Service via Unbounded Degree in phpseclib Binary Finite Fields

Vulnerability ID: CVE-2023-49316
CVSS Score: 7.5
Published: 2026-05-08

The phpseclib cryptographic library version 3.x prior to 3.0.34 contains a Denial of Service (DoS) vulnerability in its mathematical field generation logic. When parsing maliciously crafted X.509 certificates or PKCS#8 private keys specifying Elliptic Curve parameters over a binary finite field, the library fails to validate the degree parameter. This flaw allows a remote attacker to force the PHP application to perform unbounded memory allocations, exhausting server resources and terminating the application worker process.

TL;DR

phpseclib 3.x before 3.0.34 fails to bound the degree parameter when parsing Elliptic Curve keys over binary fields, allowing unauthenticated attackers to cause a fatal Out-Of-Memory (OOM) crash via a crafted ASN.1 payload.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-834
  • Attack Vector: Network
  • CVSS v3.1: 7.5
  • EPSS Score: 0.15%
  • Impact: High (Availability)
  • Exploit Status: Proof-of-Concept
  • CISA KEV: Not Listed

Affected Systems

  • phpseclib 3.0.x
  • phpseclib: >= 3.0.0, < 3.0.34 (Fixed in: 3.0.34)

Code Analysis

Commit: 964d781

Add degree bounds checking to BinaryField constructor to prevent OOM denial of service

Exploit Details

  • Research Paper: X.509DoS: Exploiting and Detecting Denial-of-Service Vulnerabilities in X.509 Certificate Parsing

Mitigation Strategies

  • Upgrade phpseclib to version 3.0.34 or later.
  • Implement application-level exception handling for OutOfBoundsException during cryptographic material parsing.
  • Enforce strict file size limits on endpoints accepting user-uploaded certificate files.

Remediation Steps:

  1. Identify the project dependencies using composer: composer show phpseclib/phpseclib.
  2. Update the composer requirement to pull the latest 3.0.x patch: composer require phpseclib/phpseclib:^3.0.34.
  3. Execute composer update.
  4. Deploy the updated composer.lock file to production environments.
  5. Audit all calls to EC::loadFormat() to ensure proper try...catch blocks encompass the parsing logic.

References

Read the full report for CVE-2023-49316 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)