DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-G7M4-839X-CH6V: GHSA-g7m4-839x-ch6v: Denial of Service via Unbounded Digits Parameter in spomky-labs/otphp

#security #cve #cybersecurity #ghsa

GHSA-g7m4-839x-ch6v: Denial of Service via Unbounded Digits Parameter in spomky-labs/otphp

Vulnerability ID: GHSA-G7M4-839X-CH6V
CVSS Score: 8.7
Published: 2026-06-18

The spomky-labs/otphp library prior to version 11.4.3 is vulnerable to an unhandled DivisionByZeroError crash when parsing provisioning URIs containing a digits parameter value equal to or greater than 40. This allows unauthenticated remote attackers to trigger a Denial of Service by supplying a crafted URI, which causes float-to-integer cast overflow and subsequent division-by-zero fatal error in modern PHP runtimes.

TL;DR

Unbounded digits parameter in otphp provisioning URIs triggers a float-to-integer conversion overflow, culminating in an unhandled division-by-zero fatal crash in PHP.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1284 / CWE-369
  • Attack Vector: Network (AV:N)
  • CVSS Score: 8.7
  • EPSS Score: Not Mapped (No CVE)
  • Impact: Denial of Service (Availability: High)
  • Exploit Status: Proof-of-Concept (PoC) Released
  • KEV Status: Not Listed

Affected Systems

  • spomky-labs/otphp
  • spomky-labs/otphp: < 11.4.3 (Fixed in: 11.4.3)

Exploit Details

  • GitHub Security Advisory: Official advisory detailing the DivisionByZeroError vulnerability and containing a functional PHP Proof of Concept.

Mitigation Strategies

  • Upgrade spomky-labs/otphp to 11.4.3 or higher
  • Pre-parse and validate digits parameters before calling loadFromProvisioningUri
  • Catch global Throwable instead of Exception to gracefully handle DivisionByZeroError in PHP 8.x

Remediation Steps:

  1. Modify composer.json to require "spomky-labs/otphp": "^11.4.3"
  2. Execute composer update spomky-labs/otphp to perform the vendor updates
  3. Implement custom pre-parsing middleware to validate digits query parameter inside standard range (4 to 10)
  4. Refactor try/catch blocks encapsulating OTP generation to target the base \Throwable interface

References

Read the full report for GHSA-G7M4-839X-CH6V on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)