logo

Database

Insecure generation of random numbers In guzzlehttp/oauth-subscriber

Description

Guzzle OAuth Subscriber has insufficient nonce entropy

Impact

Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used.

Patches

Upgrade to version 0.8.1 or higher.

Workarounds

No.

References

Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-216172. NVD-2025-216173. OSV-2025-216174. GHSA-237r-r8m4-4q885. GCVE-2025-21617

References

1. https://github.com/guzzle/oauth-subscriber/security/advisories/GHSA-237r-r8m4-4q882. https://github.com/guzzle/oauth-subscriber/commit/92b619b03bd21396e51c62e6bce83467d2ce8f533. https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L1924. https://github.com/guzzle/oauth-subscriber/releases/tag/0.8.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-T3IDJ – Vulnerability | Fluid Attacks Database