Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yMzdyLXI4bTQtNHE4OM4ABC_D
Guzzle OAuth Subscriber has insufficient nonce entropy
Impact
Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used.
Patches
Upgrade to version 0.8.1 or higher.
Workarounds
No.
References
Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.
Permalink: https://github.com/advisories/GHSA-237r-r8m4-4q88JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yMzdyLXI4bTQtNHE4OM4ABC_D
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 days ago
Updated: 2 days ago
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-237r-r8m4-4q88, CVE-2025-21617
References:
- https://github.com/guzzle/oauth-subscriber/security/advisories/GHSA-237r-r8m4-4q88
- https://github.com/guzzle/oauth-subscriber/commit/92b619b03bd21396e51c62e6bce83467d2ce8f53
- https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192
- https://github.com/guzzle/oauth-subscriber/releases/tag/0.8.1
- https://nvd.nist.gov/vuln/detail/CVE-2025-21617
- https://github.com/advisories/GHSA-237r-r8m4-4q88
Blast Radius: 0.0
Affected Packages
packagist:guzzlehttp/oauth-subscriber
Dependent packages: 153Dependent repositories: 743
Downloads: 10,851,877 total
Affected Version Ranges: < 0.8.1
Fixed in: 0.8.1
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0
All unaffected versions: 0.8.1