DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2JX3-65F3-XR8R: GHSA-2JX3-65F3-XR8R: Dynamic Property Injection (Mass Assignment) in spomky-labs/otphp

#security #cve #cybersecurity #ghsa

GHSA-2JX3-65F3-XR8R: Dynamic Property Injection (Mass Assignment) in spomky-labs/otphp

Vulnerability ID: GHSA-2JX3-65F3-XR8R
CVSS Score: 5.3
Published: 2026-06-18

A critical mass-assignment (property injection) vulnerability exists in the PHP One-Time Password (OTP) library spomky-labs/otphp within the Factory::loadFromProvisioningUri method. When an application loads an OTP provisioning URI (such as a QR code configuration link), a hostile URI can inject query parameters that dynamically overwrite internal, private, or read-only object properties of the OTP instance. This behavior leads to application state corruption, validation bypasses, or uncaught TypeErrors that crash the executing application process.

TL;DR

Unauthenticated remote attackers can deliver crafted OTP provisioning URIs to overwrite internal properties of the otphp library, causing denial of service, validation bypasses, or immediate application crashes.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-915
  • Attack Vector: Network
  • CVSS v4 Score: 5.3 (Medium)
  • Exploit Status: Proof of Concept
  • Affected Component: Factory::loadFromProvisioningUri
  • Vulnerability Class: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected Systems

  • Web applications incorporating PHP MFA / TOTP / HOTP functionality based on the spomky-labs/otphp library prior to v11.4.3
  • spomky-labs/otphp: < 11.4.3 (Fixed in: 11.4.3)

Mitigation Strategies

  • Upgrade spomky-labs/otphp package to version 11.4.3 or later
  • Implement client-side or gateway-level query parameter sanitization before parsing
  • Enforce global exception catching for all Throwable types on OTP factory loaders

Remediation Steps:

  1. Run 'composer update spomky-labs/otphp' to pull the patched version (11.4.3)
  2. Audit application logic to verify that all Factory::loadFromProvisioningUri calls are wrapped in robust try-catch blocks
  3. Verify system tests discard URIs containing disallowed nested parameters such as parameters[...] or clock[...]

References

Read the full report for GHSA-2JX3-65F3-XR8R on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)