CVE-2025-21617

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-21617

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21617.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-21617

Aliases

GHSA-237r-r8m4-4q88

Published

2025-01-06T19:23:23.232Z

Modified

2025-11-20T12:32:46.483093Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Guzzle OAuth Subscriber has insufficient nonce entropy

Details

Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1.

Database specific

{
    "cwe_ids": [
        "CWE-338"
    ]
}

References

Affected packages

Git / github.com/guzzle/oauth-subscriber

Affected ranges

Type: GIT
Repo: https://github.com/guzzle/oauth-subscriber
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

92b619b03bd21396e51c62e6bce83467d2ce8f53

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.8.0