Primary

Context

phpseclib AES-CBC Padding Oracle Timing Attack Vulnerability

Vulnerability

Patched

A timing attack vulnerability has been identified in phpseclib, a PHP secure communications library, when using AES in CBC mode. This vulnerability affects versions 1.0.26 and prior, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49. The issue arises from the unpadding process, which is susceptible to a padding oracle timing attack, allowing an attacker to potentially exploit the vulnerability by manipulating the timing of responses.

Impact

Exploitation of this vulnerability could lead to a padding oracle timing attack, where an attacker could gain information about the encrypted data by measuring how long it takes to process different inputs.

Remediation

Users can upgrade to phpseclib versions 1.0.27, 2.0.52, or 3.0.50 to address this vulnerability. Alternatively, AES can be used in CTR, CFB, or OFB modes to avoid the timing attack.

Added: Mar 20, 2026, 3:27 AM

Updated: Mar 20, 2026, 3:27 AM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

4.0

remediation

8.3

relevance

4.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

4.0

remediation

8.3

relevance

4.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

phpseclib AES-CBC Padding Oracle Timing Attack Vulnerability

Vulnerability

Impact

Remediation

Affected Products

phpseclib

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating