Primary

Context

Guzzle OAuth Subscriber Insufficient Nonce Entropy Vulnerability Allowing Replay Attacks

Vulnerability

A vulnerability exists in Guzzle OAuth Subscriber versions prior to 0.8.1, where the OAuth 1.0 nonce generation lacks adequate entropy and does not utilize a cryptographically secure pseudorandom source. This deficiency can expose servers to replay attacks, particularly when TLS is not implemented.

Impact

The flawed nonce generation can lead to replay attacks on servers, allowing an attacker to impersonate a user by resending requests that include the OAuth signature.

Remediation

Users are advised to upgrade to Guzzle OAuth Subscriber version 0.8.1 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Guzzle OAuth Subscriber Insufficient Nonce Entropy Vulnerability Allowing Replay Attacks

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating