CVE-2024-27354: 
PHP vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2024-27354) was discovered in phpseclib versions 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. This vulnerability was introduced as an unintended consequence of attempting to fix a previous security issue (CVE-2023-27560) (NVD, MITRE).

The vulnerability allows an attacker to construct a malformed certificate containing an extremely large prime number, which when processed by the isPrime primality check function, causes excessive CPU consumption leading to a denial of service condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD).

When successfully exploited, this vulnerability can cause a denial of service through excessive CPU consumption, potentially affecting the availability of systems using the affected versions of phpseclib (Debian Security).

Users are advised to upgrade to the fixed versions: phpseclib 1.0.23, 2.0.47, or 3.0.36, depending on their current version. Debian has released security updates DLA-3749-1 and DLA-3750-1 to address this vulnerability in their distributions (Debian LTS, Debian LTS).

The vulnerability has been documented and discussed in a GitHub gist by security researchers, highlighting the potential impact on systems using phpseclib (GitHub Gist).