CVE-2024-27355: 
PHP vulnerability analysis and mitigation

An issue was discovered in phpseclib versions 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. The vulnerability affects the ASN.1 object identifier processing functionality when handling certificates (NVD, CVE). The vulnerability was assigned CVE-2024-27355 and was disclosed in March 2024.

The vulnerability occurs during the processing of ASN.1 object identifiers in certificates, where a specially crafted sub identifier can trigger excessive CPU consumption in the decodeOID function. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD).

When exploited, this vulnerability can lead to a denial of service condition through CPU resource exhaustion. The attack specifically targets the certificate processing functionality, potentially affecting system availability by consuming excessive computational resources during the decodeOID operation (Debian LTS).

The vulnerability has been fixed in phpseclib versions 1.0.23, 2.0.47, and 3.0.36. Users are recommended to upgrade to these or later versions. For Debian 10 (buster) users, the fix has been backported in version 1.0.19-3~deb10u3 for phpseclib and version 2.0.30-2~deb10u3 for php-phpseclib packages (Debian LTS).