Login Sign Up

CVE-2023-37260

8.2 HIGH

📋 TL;DR

This vulnerability in league/oauth2-server exposes cryptographic keys in error messages when keys are passed as strings without valid passphrases. Attackers could potentially extract sensitive keys from exception logs, compromising OAuth 2.0 security. Only affects PHP applications using league/oauth2-server version 8.3.2 through 8.5.2 with string-based key configuration.

💻 Affected Systems

Products:
  • league/oauth2-server
Versions: 8.3.2 through 8.5.2
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using string-based key configuration (not file-based) without proper passphrase validation.

📦 What is this software?

Oauth2 Server by Thephpleague

View all CVEs affecting Oauth2 Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain private keys from error logs, enabling them to impersonate the OAuth server, issue fraudulent tokens, or decrypt sensitive data, leading to complete authentication system compromise.

🟠

Likely Case

Sensitive cryptographic keys exposed in application logs accessible to unauthorized users, potentially allowing token forgery or privilege escalation.

🟢

If Mitigated

Limited exposure with proper log sanitization and access controls, but still represents an information disclosure vulnerability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to application error logs or the ability to trigger the specific exception condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.3

Vendor Advisory: https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm

Restart Required: Yes

Instructions:

1. Update composer.json to require "league/oauth2-server": "^8.5.3"
2. Run composer update league/oauth2-server
3. Restart PHP application/web server
4. Verify no breaking changes in your implementation

🔧 Temporary Workarounds

Use file-based key configuration

all

Pass cryptographic keys as file paths instead of strings to avoid the vulnerable code path

Modify CryptKey constructor calls to use file paths: new CryptKey('/path/to/key.pem', 'passphrase') instead of new CryptKey($keyString, 'passphrase')

🧯 If You Can't Patch

  • Implement strict access controls on application logs to prevent unauthorized access
  • Configure error logging to exclude sensitive data or use log sanitization filters

🔍 How to Verify

Check if Vulnerable:

Check composer.lock for league/oauth2-server version between 8.3.2 and 8.5.2, and verify if CryptKey is instantiated with string keys

Check Version:

composer show league/oauth2-server | grep versions

Verify Fix Applied:

Confirm league/oauth2-server version is 8.5.3 or higher in composer.lock

📡 Detection & Monitoring

Log Indicators:

  • LogicException messages containing cryptographic key material
  • Error logs showing full key strings in exception traces

Network Indicators:

  • Unusual authentication patterns or token validation failures

SIEM Query:

source="application.logs" AND "LogicException" AND ("CryptKey" OR "pass phrase")

📊 Metadata

CVE ID: CVE-2023-37260
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-209
Published: July 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37260, you might also want to check these:

CVE-2025-62168 10.0

Squid caching proxy versions before 7.2 fail to properly redact HTTP authentication credentials in e...

Same vulnerability type (CWE-209)
CVE-2025-46658 9.8

CVE-2025-46658 is an information disclosure vulnerability in 4C Strategies ExonautWeb where verbose ...

Same vulnerability type (CWE-209)
CVE-2024-6980 9.8

A verbose error handling issue in the GravityZone Update Server proxy service allows attackers to pe...

Same vulnerability type (CWE-209)