CVE-2025-21617: Guzzle OAuth Subscriber has insufficient nonce entropy
Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used.
References
- github.com/advisories/GHSA-237r-r8m4-4q88
- github.com/guzzle/oauth-subscriber
- github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php
- github.com/guzzle/oauth-subscriber/commit/92b619b03bd21396e51c62e6bce83467d2ce8f53
- github.com/guzzle/oauth-subscriber/releases/tag/0.8.1
- github.com/guzzle/oauth-subscriber/security/advisories/GHSA-237r-r8m4-4q88
- nvd.nist.gov/vuln/detail/CVE-2025-21617
Code Behaviors & Features
Detect and mitigate CVE-2025-21617 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →