This blog will contain a host of informations about various vulnerabilities and thoughts related to vulnerability management.
To view older blog posts, please visit the archives section.
2025-01-07
While not groundbreaking, this finding underscores the importance of the work done by Vulnarium in documenting and bringing attention to vulnerabilities, regardless of their complexity.
As part of writing a previous blog post about CVE-2025-22376, I did some research in various open source repositories to see if I could find the same vulnerability elsewhere. While doing this work, I did uncover a couple of libraries where the issue was present. One of these libraries was Guzzle oauth-subscriber, a PHP library that was used among others, in AWS PHP SDK prior to version 3.
The vulnerability is conceptually the same as CVE-2025-22376, involving the use of an unsafe pseudorandom number generator (PRNG) to generate a nonce, which could lead to predictable values and potential exploitation. In this instance, the issue appears in a PHP library instead. For this reason, I will not be doing a full analysis of this specific new vulnerability.
Guzzle uses a third party, Tidelift, to manage their vulnerability disclosure process. Tidelift is a platform that connects open-source maintainers with organizations, ensuring proper funding, support, and security for open-source projects, including managing vulnerability disclosures efficiently. I have to say that I was most impressed with the speed at which my original email was answered. Here is the general timeline of how the disclosure went:
2025-01-04-20h00 - Discovery of the vulnerability
2025-01-04-21h11 - First email sent to Tidelift containing the full detail along with code example showing how to fix the issue
2025-01-05-11h25 - (On a Sunday!) First response from Tidelift informing me about their process and asking my consent to be put in touch with the dev team
2025-01-05-13h25 - Answer to Tidelift along with a link to the blog post I made about the Perl vulnerability to help them on their analysis
2025-01-06-08h52 - Second email from Tidelift confirming the dev is working on a fix and asking if I wanted to be credited for the vulnerability
2025-01-06-12h06 - Reply asking for credit
2025-01-06-15h12 - Third email from Tidelift informing me that the fix had been released and that CVE-2025-21617 was published along with a GitHub vulnerability advisory
In less than 48 hours, the patch and the CVE were both released after a very short series of exchange. Again, I must say I'm very impressed with how Tidelift handles disclosures.
I remember 12 years ago, trying to do a responsible disclosure for a product on which I had found about 30 vulnerabilities... Including remote code execution... I ended up never being able to actually make that disclosure for a ton of reasons...
Gosh how times have changed! We really are in a golden age for vulnerability research, where tools and collaboration allow for swift and impactful responses to issues, as shown in this case.