Security Vulnerability in Guzzle OAuth Subscriber by Guzzle
CVE-2025-21617

Currently unrated

Key Information:

Vendor: Guzzle
Status: OAuth Subscriber
Vendor: CVE Published:; 6 January 2025

What is CVE-2025-21617?

The Guzzle OAuth Subscriber, which facilitates OAuth 1.0 signing for requests, had a vulnerability in nonce generation prior to version 0.8.1. This issue arose from inadequate entropy and a non-cryptographically secure pseudorandom source, posing a risk of replay attacks, particularly in scenarios where TLS encryption is not implemented. Users are urged to upgrade to version 0.8.1 to mitigate this security flaw.

References

https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src...

https://github.com/guzzle/oauth-subscriber/commit/92b619b...

https://github.com/guzzle/oauth-subscriber/releases/tag/0...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 6, 2025

CVE-2025-21617 Data

JSON