Search for vulnerabilities
Vulnerability details: VCID-k9e9-7ez7-bbcw
Vulnerability ID VCID-k9e9-7ez7-bbcw
Aliases CVE-2024-27355
GHSA-jr22-8qgm-4q87
Summary phpseclib does not properly limit the ASN1 OID length An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2024-27355
cvssv3.1 7.5 https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
generic_textual HIGH https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
ssvc Track https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
cvssv3.1 7.5 https://github.com/advisories/GHSA-jr22-8qgm-4q87
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-jr22-8qgm-4q87
generic_textual HIGH https://github.com/advisories/GHSA-jr22-8qgm-4q87
cvssv3.1 7.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2024-27355.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2024-27355.yaml
cvssv3.1 7.5 https://github.com/phpseclib/phpseclib
generic_textual HIGH https://github.com/phpseclib/phpseclib
cvssv3.1 7.5 https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
generic_textual HIGH https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
ssvc Track https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
cvssv3.1 7.5 https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb59
generic_textual HIGH https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb59
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
ssvc Track https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html
ssvc Track https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2024-27355
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-27355
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-27355
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27355
https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
https://github.com/advisories/GHSA-jr22-8qgm-4q87
https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2024-27355.yaml
https://github.com/phpseclib/phpseclib
https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb59
https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html
https://nvd.nist.gov/vuln/detail/CVE-2024-27355
USN-7404-1 https://usn.ubuntu.com/7404-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:10:07Z/ Found at https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/advisories/GHSA-jr22-8qgm-4q87
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2024-27355.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/phpseclib/phpseclib
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:10:07Z/ Found at https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb59
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:10:07Z/ Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:10:07Z/ Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-27355
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.24873
EPSS Score 0.00082
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:33:07.248365+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-jr22-8qgm-4q87/GHSA-jr22-8qgm-4q87.json 37.0.0