Login Sign Up

CVE-2023-52892

7.5 HIGH

📋 TL;DR

This vulnerability in phpseclib allows attackers to craft TLS certificates with special regex characters in Subject Alternative Name fields, potentially bypassing hostname verification. This could enable man-in-the-middle attacks or impersonation of trusted services. All applications using vulnerable phpseclib versions for TLS certificate validation are affected.

💻 Affected Systems

Products:
  • phpseclib
Versions: phpseclib <1.0.22, 2.x <2.0.46, 3.x <3.0.33
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using phpseclib for X.509 certificate host verification. The vulnerability is in the certificate parsing logic itself.

📦 What is this software?

Phpseclib by Phpseclib

View all CVEs affecting Phpseclib →

Phpseclib by Phpseclib

View all CVEs affecting Phpseclib →

Phpseclib by Phpseclib

View all CVEs affecting Phpseclib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could impersonate legitimate servers, intercept encrypted communications, steal sensitive data, or inject malicious content into trusted connections.

🟠

Likely Case

Targeted attacks against specific applications using phpseclib for TLS validation, potentially leading to credential theft or data interception.

🟢

If Mitigated

Limited impact if proper network segmentation, certificate pinning, or additional validation layers are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof-of-concept available in GitHub references. Exploitation requires ability to present malicious certificates to vulnerable applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: phpseclib 1.0.22, 2.0.46, 3.0.33 or later

Vendor Advisory: https://github.com/phpseclib/phpseclib/releases/tag/3.0.33

Restart Required: No

Instructions:

1. Update phpseclib via composer: 'composer update phpseclib/phpseclib' 2. Verify version meets minimum: 1.0.22+, 2.0.46+, or 3.0.33+ 3. Test TLS certificate validation functionality

🔧 Temporary Workarounds

Certificate Pinning

all

Implement certificate pinning to validate specific certificates rather than relying solely on hostname verification

🧯 If You Can't Patch

  • Implement network-level controls to restrict TLS connections to trusted endpoints only
  • Deploy additional certificate validation layers or use alternative TLS libraries temporarily

🔍 How to Verify

Check if Vulnerable:

Check composer.json or installed packages for phpseclib version. Vulnerable if version <1.0.22, <2.0.46, or <3.0.33

Check Version:

composer show phpseclib/phpseclib | grep version

Verify Fix Applied:

After update, verify phpseclib version meets minimum requirements and test with known malicious certificates from testing artifacts

📡 Detection & Monitoring

Log Indicators:

  • Unexpected certificate validation failures
  • Connections to unusual hostnames with special characters

Network Indicators:

  • TLS connections with certificates containing regex special characters in SAN fields

SIEM Query:

source="*tls*" AND ("certificate validation" OR "hostname mismatch") AND ("+" OR "*" OR "." OR "?" OR "[" OR "]")

📊 Metadata

CVE ID: CVE-2023-52892
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-436
Published: June 27, 2024
Last Updated: October 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52892, you might also want to check these:

CVE-2023-24813 10.0

CVE-2023-24813 is a critical vulnerability in Dompdf's SVG parsing that allows attackers to bypass U...

Same vulnerability type (CWE-436)
CVE-2021-45327 9.8

CVE-2021-45327 is a server-side request forgery (SSRF) vulnerability in Gitea's admin and user API e...

Same vulnerability type (CWE-436)
CVE-2024-38428 9.1

GNU Wget through version 1.24.5 incorrectly parses semicolons in the userinfo portion of URIs, poten...

Same vulnerability type (CWE-436)