CVE-2024-27354

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue was introduced when attempting to fix CVE-2023-27560.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b	Third Party Advisory
https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Math/PrimeField.php#L49	Product
https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html	Mailing List Third Party Advisory
https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b	Third Party Advisory
https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Math/PrimeField.php#L49	Product
https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:phpseclib:phpseclib::::::::
	cpe:2.3:a:phpseclib:phpseclib::::::::
	cpe:2.3:a:phpseclib:phpseclib::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

15 Sep 2025, 17:58

Type	Values Removed	Values Added
CPE		cpe:2.3:o:debian:debian_linux:10.0:::::::*
First Time		Debian debian Linux Debian

15 Sep 2025, 17:13

Type	Values Removed	Values Added
First Time		Phpseclib phpseclib Phpseclib
CPE		cpe:2.3:a:phpseclib:phpseclib::::::::
References	~~() https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b -~~	() https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b - Third Party Advisory
References	~~() https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Math/PrimeField.php#L49 -~~	() https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Math/PrimeField.php#L49 - Product
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html - Mailing List, Third Party Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html - Mailing List, Third Party Advisory

21 Nov 2024, 09:04

Type	Values Removed	Values Added
References	~~() https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b -~~	() https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b -
References	~~() https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Math/PrimeField.php#L49 -~~	() https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Math/PrimeField.php#L49 -
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html -
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html -

01 Aug 2024, 13:48

Type	Values Removed	Values Added
CWE		CWE-400
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

21 Mar 2024, 02:52

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en phpseclib 1.x anterior a 1.0.23, 2.x anterior a 2.0.47 y 3.x anterior a 3.0.36. Un atacante puede crear un certificado con formato incorrecto que contenga un valor principal extremadamente grande para provocar una denegación de servicio (consumo de CPU para una verificación de primalidad de isPrime). NOTA: este problema se introdujo al intentar solucionar CVE-2023-27560.
References		() https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html - () https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html -

01 Mar 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-01 23:15

Updated : 2025-09-15 17:58

NVD link : CVE-2024-27354

Mitre link : CVE-2024-27354

CVE.ORG link : CVE-2024-27354

JSON object : View

Products Affected

phpseclib

phpseclib

debian

debian_linux

CWE

CWE-400

Uncontrolled Resource Consumption

7.5 /10